Skip to content

nodemon-2.0.13.tgz: 1 vulnerabilities (highest severity is: 5.3) #3

Description

@mend-for-github-com
Vulnerable Library - nodemon-2.0.13.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Found in HEAD commit: 1e9f4312abe4dfff8ca69211cdb75c43881f6ae9

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (nodemon version) Remediation Possible**
CVE-2022-33987 Medium 5.3 got-9.6.0.tgz Transitive 2.0.17

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-33987

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/got/package.json

Dependency Hierarchy:

  • nodemon-2.0.13.tgz (Root Library)
    • update-notifier-5.1.0.tgz
      • latest-version-5.1.0.tgz
        • package-json-6.5.0.tgz
          • got-9.6.0.tgz (Vulnerable Library)

Found in HEAD commit: 1e9f4312abe4dfff8ca69211cdb75c43881f6ae9

Found in base branch: canary

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution (got): 11.8.6

Direct dependency fix Resolution (nodemon): 2.0.17

⛑️ Automatic Remediation will be attempted for this issue.


⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions