CVE-2017-12964 (High) detected in node-sass-3.13.1.tgz - autoclosed

[mend-bolt-for-github]

CVE-2017-12964 - High Severity Vulnerability

Vulnerable Library - node-sass-3.13.1.tgz

Wrapper around libsass

Library home page: https://registry.npmjs.org/node-sass/-/node-sass-3.13.1.tgz

Path to dependency file: laravel-elixir-clean-unofficial/package.json

Path to vulnerable library: laravel-elixir-clean-unofficial/node_modules/node-sass

Dependency Hierarchy:

• laravel-elixir-6.0.0-15.tgz (Root Library)
  • gulp-sass-2.3.2.tgz
    • ❌ node-sass-3.13.1.tgz (Vulnerable Library)

Found in HEAD commit: 6137d1b3e8146d3ba7b985492fc6b78cb1706fa2

Found in base branch: master

Vulnerability Details

There is a stack consumption issue in LibSass 3.4.5 that is triggered in the function Sass::Eval::operator() in eval.cpp. It will lead to a remote denial of service attack.

Publish Date: 2017-08-18

URL: CVE-2017-12964

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: sass/libsass#2665

Release Date: 2017-08-18

Fix Resolution: Libsass:3.4.6, Node-sass:4.4.0

---

Step up your Open Source Security Game with WhiteSource here

[mend-bolt-for-github]

ℹ️ This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #109

[mend-bolt-for-github]

ℹ️ This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #109

[mend-bolt-for-github]

ℹ️ This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #109

[mend-bolt-for-github]

ℹ️ This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #109