game-ui / package.json

Sicherheitslücken


Projekt: game-ui
Datei: package.json
Gescanned am: 2020.11.01 20:52
Abhängigkeiten: 32
Sicherheitslücken: 1
Diese Abhängigkeiten weisen alle bekannte Sicherheitslücken auf. Wir empfehlen, sie entweder aus dem Projekt zu entfernen oder den Empfehlungen im Abschnitt 'Empfehlung' zu folgen, falls verfügbar.

NodeJS/negotiator/0.6.0

Regular Expression Denial of Service

Veröffentlichungsdatum: 2016-06-16
CVSS Score: 7.5
CVSS Vektor: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Coordinating vendor: ^Lift Security
Links:

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa.

The header for "Accept-Language", when parsed by negotiator is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Timeline

  • April 29th 2016 - Initial report to maintainers
  • April 29th 2016 - Confirm receipt from maintainers
  • May 1st 2016 - Fix confirmed
  • May 5th 2016 - 0.6.1 published with fix
  • June 16th 2016 - Advisory published (delay was to coordinate fixes in upstream frameworks, Koa and Express)

Betroffene Versionen: ["0.1.0", "0.2.3", "0.2.4", "0.2.5", "0.2.6", "0.2.7", "0.2.8", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.4.5", "0.4.6", "0.4.7", "0.4.8", "0.4.9", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.6.0"]
Sichere Versionen: [0.6.1, 0.6.2, 0.6.3]
Empfehlung: Upgrade to at least version 0.6.1 Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the `acceptsLanguages` function call in your application will tell you if you are using this functionality.