WS-2018-0083 (Medium) detected in protobufjs-5.0.2.tgz - autoclosed

[mend-bolt-for-github]

WS-2018-0083 - Medium Severity Vulnerability

Vulnerable Library - protobufjs-5.0.2.tgz

Protocol Buffers for JavaScript. Finally.

Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-5.0.2.tgz

Path to dependency file: vid-to-speech-api-json/package.json

Path to vulnerable library: vid-to-speech-api-json/node_modules/grpc/node_modules/protobufjs/package.json

Dependency Hierarchy:

• speech-1.1.0.tgz (Root Library)
  • google-gax-0.14.5.tgz
    • grpc-1.7.3.tgz
      • ❌ protobufjs-5.0.2.tgz (Vulnerable Library)

Found in HEAD commit: f982a2ac7e2b2fffce4b4bc02af9d8eebfaf953b

Vulnerability Details

Versions of protobufjs before 6.8.6 are vulnerable to denial of service when parsing crafted invalid *.proto files.

Publish Date: 2018-02-26

URL: WS-2018-0083

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/605

Release Date: 2018-01-27

Fix Resolution: 6.8.6

---

Step up your Open Source Security Game with WhiteSource here

[mend-bolt-for-github]

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.