CVE-2022-33987 (Medium) detected in got-9.6.0.tgz #1333

mend-for-jackfan.us.kg · 2022-06-20T06:39:29Z

CVE-2022-33987 - Medium Severity Vulnerability

Vulnerable Library - got-9.6.0.tgz

Simplified HTTP requests

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

ngx-childprocess-0.0.6.tgz (Root Library)
- electron-1.6.10.tgz
  - electron-13.6.6.tgz
    - get-1.13.1.tgz
      - ❌ got-9.6.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

grossmj · 2022-08-12T15:38:10Z

This will be solved once #1328 is fixed

mend-for-jackfan.us.kg · 2025-01-20T06:53:59Z

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-jackfan.us.kg bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Jun 20, 2022

grossmj added this to the 3.0 milestone Jun 20, 2022

grossmj assigned rajnikantsolarwinds Jun 23, 2022

grossmj linked a pull request Aug 12, 2022 that will close this issue

Fix node-fetch CVE issue #1385

Merged

grossmj removed a link to a pull request Aug 12, 2022

Fix node-fetch CVE issue #1385

Merged

grossmj closed this as not planned Won't fix, can't repro, duplicate, stale Aug 12, 2022

mend-for-jackfan.us.kg bot reopened this Jan 20, 2025