CVE-2018-1107 (Medium) detected in is-my-json-valid-2.13.1.tgz #188

mend-bolt-for-github · 2020-11-06T01:23:31Z

CVE-2018-1107 - Medium Severity Vulnerability

Vulnerable Library - is-my-json-valid-2.13.1.tgz

A JSONSchema validator that uses code generation to be extremely fast

Library home page: https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.13.1.tgz

Path to dependency file: amplify-cli/packages/amplify-category-interactions/package.json

Path to vulnerable library: amplify-cli/packages/amplify-category-interactions/node_modules/npm/node_modules/request/node_modules/har-validator/node_modules/is-my-json-valid/package.json,amplify-cli/packages/amplify-category-function/node_modules/npm/node_modules/request/node_modules/har-validator/node_modules/is-my-json-valid/package.json,amplify-cli/packages/amplify-category-api/node_modules/npm/node_modules/request/node_modules/har-validator/node_modules/is-my-json-valid/package.json,amplify-cli/packages/amplify-cli/node_modules/npm/node_modules/request/node_modules/har-validator/node_modules/is-my-json-valid/package.json

Dependency Hierarchy:

grunt-aws-lambda-0.13.0.tgz (Root Library)
- npm-2.15.12.tgz
  - request-2.74.0.tgz
    - har-validator-2.0.6.tgz
      - ❌ is-my-json-valid-2.13.1.tgz (Vulnerable Library)

Found in HEAD commit: 3833df1564b738a3f729dc6bff2583e4890060cc

Vulnerability Details

It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated.

Publish Date: 2021-03-30

URL: CVE-2018-1107

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1546357

Release Date: 2020-07-21

Fix Resolution: 1.4.2,2.17.2

mend-bolt-for-github bot added the security vulnerability Security vulnerability detected by WhiteSource label Nov 6, 2020

mend-bolt-for-github bot changed the title ~~CVE-2018-1107 (High) detected in is-my-json-valid-2.13.1.tgz~~ CVE-2018-1107 (Medium) detected in is-my-json-valid-2.13.1.tgz Apr 7, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2018-1107 (Medium) detected in is-my-json-valid-2.13.1.tgz #188

CVE-2018-1107 (Medium) detected in is-my-json-valid-2.13.1.tgz #188

mend-bolt-for-github bot commented Nov 6, 2020 •

edited

Loading

CVE-2018-1107 (Medium) detected in is-my-json-valid-2.13.1.tgz #188

CVE-2018-1107 (Medium) detected in is-my-json-valid-2.13.1.tgz #188

Comments

mend-bolt-for-github bot commented Nov 6, 2020 • edited Loading

CVE-2018-1107 - Medium Severity Vulnerability

mend-bolt-for-github bot commented Nov 6, 2020 •

edited

Loading