You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
mend-for-github-combot
changed the title
browser-sync-2.27.7.tgz: 3 vulnerabilities (highest severity is: 8.8)
browser-sync-2.27.7.tgz: 4 vulnerabilities (highest severity is: 8.8)
May 4, 2022
mend-for-github-combot
changed the title
browser-sync-2.27.7.tgz: 4 vulnerabilities (highest severity is: 8.8)
browser-sync-2.27.7.tgz: 3 vulnerabilities (highest severity is: 7.8)
May 17, 2022
Vulnerable Library - browser-sync-2.27.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Found in HEAD commit: d92f250a2ce73ce993893c4345da631a996c683c
Vulnerabilities
Details
CVE-2021-43138
Vulnerable Library - async-1.5.2.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/async/package.json
Dependency Hierarchy:
Found in HEAD commit: d92f250a2ce73ce993893c4345da631a996c683c
Found in base branch: master
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution: async - v3.2.2
CVE-2020-36048
Vulnerable Library - engine.io-3.5.0.tgz
The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/engine.io/package.json
Dependency Hierarchy:
Found in HEAD commit: d92f250a2ce73ce993893c4345da631a996c683c
Found in base branch: master
Vulnerability Details
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution (engine.io): 4.0.0-alpha.0
Direct dependency fix Resolution (browser-sync): 2.27.8
⛑️ Automatic Remediation is available for this issue
CVE-2022-0536
Vulnerable Library - follow-redirects-1.14.7.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy:
Found in HEAD commit: d92f250a2ce73ce993893c4345da631a996c683c
Found in base branch: master
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (browser-sync): 2.27.8
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
The text was updated successfully, but these errors were encountered: