WS-2020-0217 - Medium Severity Vulnerability
Vulnerable Library - bunyan-1.8.12.tgz
a JSON logging library for node.js services
Library home page: https://registry.npmjs.org/bunyan/-/bunyan-1.8.12.tgz
Path to dependency file: /microsoftBotFramework/messages/package.json
Path to vulnerable library: microsoftBotFramework/messages/node_modules/bunyan/package.json
Dependency Hierarchy:
- restify-4.3.4.tgz (Root Library)
- ❌ bunyan-1.8.12.tgz (Vulnerable Library)
Vulnerability Details
A Remote Command Execution (RCE) vulnerability was found in bunyan before 1.8.13 and 2.x before 2.0.3. The issue occurs because a user input is formatted inside a command that will be executed without any check.
Publish Date: 2020-06-27
URL: WS-2020-0217
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://github.com/trentm/node-bunyan/blob/master/CHANGES.md
Release Date: 2020-06-27
Fix Resolution: bunyan - 1.8.13,2.0.3
Step up your Open Source Security Game with WhiteSource here
WS-2020-0217 - Medium Severity Vulnerability
a JSON logging library for node.js services
Library home page: https://registry.npmjs.org/bunyan/-/bunyan-1.8.12.tgz
Path to dependency file: /microsoftBotFramework/messages/package.json
Path to vulnerable library: microsoftBotFramework/messages/node_modules/bunyan/package.json
Dependency Hierarchy:
A Remote Command Execution (RCE) vulnerability was found in bunyan before 1.8.13 and 2.x before 2.0.3. The issue occurs because a user input is formatted inside a command that will be executed without any check.
Publish Date: 2020-06-27
URL: WS-2020-0217
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/trentm/node-bunyan/blob/master/CHANGES.md
Release Date: 2020-06-27
Fix Resolution: bunyan - 1.8.13,2.0.3
Step up your Open Source Security Game with WhiteSource here