Skip to content

cross-fetch-3.1.4.tgz: 1 vulnerabilities (highest severity is: 6.1) #2

Description

@mend-for-github-com
Vulnerable Library - cross-fetch-3.1.4.tgz

Path to dependency file: /packages/common/package.json

Path to vulnerable library: /packages/common/package.json

Found in HEAD commit: d6987b85b28d538b43966928818601effd8a4737

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (cross-fetch version) Remediation Possible**
CVE-2022-0235 Medium 6.1 node-fetch-2.6.1.tgz Transitive 3.1.5

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-0235

Vulnerable Library - node-fetch-2.6.1.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz

Path to dependency file: /packages/common/package.json

Path to vulnerable library: /packages/common/package.json

Dependency Hierarchy:

  • cross-fetch-3.1.4.tgz (Root Library)
    • node-fetch-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: d6987b85b28d538b43966928818601effd8a4737

Found in base branch: develop

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution (node-fetch): 2.6.7

Direct dependency fix Resolution (cross-fetch): 3.1.5

⛑️ Automatic Remediation will be attempted for this issue.


⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions