morgan-1.6.1.tgz: 2 vulnerabilities (highest severity is: 9.8) reachable

[dev-mend-for-github-com]

Vulnerable Library - morgan-1.6.1.tgz

HTTP request logger middleware for node.js

Library home page: https://registry.npmjs.org/morgan/-/morgan-1.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/morgan/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (morgan version)	Remediation Possible**	Reachability
CVE-636288-474053	Critical	9.8	on-headers-1.0.2.tgz	Transitive	N/A*	❌	Reachable
CVE-2019-5413	Critical	9.8	morgan-1.6.1.tgz	Direct	1.9.1	✅	Unreachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-636288-474053

Vulnerable Library - on-headers-1.0.2.tgz

Execute a listener when a response is about to write headers

Library home page: https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/on-headers/package.json

Dependency Hierarchy:

• morgan-1.6.1.tgz (Root Library)
  • ❌ on-headers-1.0.2.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

vulnerable-node-source-0.0.0/app.js (Application)
  -> express-session-1.18.1/index.js (Extension)
   -> ❌ on-headers-1.0.2/index.js (Vulnerable Component)

Vulnerability Details

Created automatically by the test suite

Publish Date: 2010-06-07

URL: CVE-636288-474053

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2019-5413

Vulnerable Library - morgan-1.6.1.tgz

HTTP request logger middleware for node.js

Library home page: https://registry.npmjs.org/morgan/-/morgan-1.6.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/morgan/package.json

Dependency Hierarchy:

• ❌ morgan-1.6.1.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.

Publish Date: 2019-03-17

URL: CVE-2019-5413

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/390881

Release Date: 2019-03-21

Fix Resolution: 1.9.1

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.

[dev-mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[dev-mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.