Skip to content

WS-2019-0231 (Medium) detected in adm-zip-0.4.4.tgz - autoclosed #41

Closed
@mend-bolt-for-github

Description

@mend-bolt-for-github

WS-2019-0231 - Medium Severity Vulnerability

Vulnerable Library - adm-zip-0.4.4.tgz

A Javascript implementation of zip for nodejs. Allows user to create or extract zip files both in memory or to/from disk

Library home page: https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.4.tgz

Path to dependency file: angular/package.json

Path to vulnerable library: angular/node_modules/adm-zip

Dependency Hierarchy:

  • cldr-data-downloader-0.3.2.tgz (Root Library)
    • adm-zip-0.4.4.tgz (Vulnerable Library)

Found in HEAD commit: c6aca37f442da8c55a02d7c53ccc58100ab004f3

Found in base branch: labs/router

Vulnerability Details

adm-zip versions before 0.4.9 are vulnerable to Arbitrary File Write due to extraction of a specifically crafted archive that contains path traversal filenames

Publish Date: 2018-04-22

URL: WS-2019-0231

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/994

Release Date: 2019-09-09

Fix Resolution: 0.4.9


Step up your Open Source Security Game with WhiteSource here

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions