CVE-2016-10539 (High) detected in negotiator-0.5.3.tgz

[mend-bolt-for-github]

CVE-2016-10539 - High Severity Vulnerability

Vulnerable Library - negotiator-0.5.3.tgz

HTTP content negotiation

Library home page: https://registry.npmjs.org/negotiator/-/negotiator-0.5.3.tgz

Path to dependency file: /NodeServer/package.json

Path to vulnerable library: /tmp/git/NodeServer/node_modules/negotiator/package.json

Dependency Hierarchy:

• express-4.13.3.tgz (Root Library)
  • accepts-1.2.13.tgz
    • ❌ negotiator-0.5.3.tgz (Vulnerable Library)

Found in HEAD commit: fa133e03329a64397844c4874edcc1e40f443ebd

Vulnerability Details

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Publish Date: 2018-05-31

URL: CVE-2016-10539

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/106

Release Date: 2016-06-16

Fix Resolution: Upgrade to at least version 0.6.1

Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the acceptsLanguages function call in your application will tell you if you are using this functionality.

---

Step up your Open Source Security Game with WhiteSource here