Skip to content

CVE-2018-1109 (High) detected in braces-1.8.5.tgz, braces-0.1.5.tgz #115

New issue
New issue
Open
Open
CVE-2018-1109 (High) detected in braces-1.8.5.tgz, braces-0.1.5.tgz#115
Labels
security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Oct 20, 2020

CVE-2018-1109 - High Severity Vulnerability

Vulnerable Libraries - braces-1.8.5.tgz, braces-0.1.5.tgz

braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: angular/integration/ngcc/yarn.lock

Path to vulnerable library: angular/integration/ngcc/yarn.lock,angular/yarn.lock,angular/integration/cli-hello-world-ivy-minimal/yarn.lock,angular/integration/platform-server/yarn.lock,angular/integration/ng_elements/yarn.lock,angular/integration/i18n/yarn.lock,angular/integration/cli-hello-world-ivy-compat/yarn.lock,angular/integration/dynamic-compiler/yarn.lock,angular/integration/ng_update/yarn.lock,angular/integration/hello_world__closure/yarn.lock,angular/integration/cli-hello-world/yarn.lock,angular/aio/yarn.lock,angular/integration/injectable-def/yarn.lock,angular/integration/hello_world__systemjs_umd/yarn.lock

Dependency Hierarchy:

  • lite-server-2.2.2.tgz (Root Library)
    • browser-sync-2.23.5.tgz
      • chokidar-1.7.0.tgz
        • anymatch-1.3.2.tgz
          • micromatch-2.3.11.tgz
            • braces-1.8.5.tgz (Vulnerable Library)
braces-0.1.5.tgz

Fastest brace expansion lib. Typically used with file paths, but can be used with any string. Expands comma-separated values (e.g. `foo/{a,b,c}/bar`) and alphabetical or numerical ranges (e.g. `{1..9}`)

Library home page: https://registry.npmjs.org/braces/-/braces-0.1.5.tgz

Path to dependency file: angular/aio/yarn.lock

Path to vulnerable library: angular/aio/yarn.lock,angular/integration/cli-hello-world-ivy-compat/yarn.lock,angular/integration/cli-hello-world/yarn.lock,angular/integration/cli-hello-world-ivy-minimal/yarn.lock,angular/yarn.lock,angular/integration/bazel/src/yarn.lock

Dependency Hierarchy:

  • karma-1.7.1.tgz (Root Library)
    • expand-braces-0.1.2.tgz
      • braces-0.1.5.tgz (Vulnerable Library)

Found in HEAD commit: cf1f1c0344fa01406f61ff7437a72714be39b47e

Vulnerability Details

Braces before 1.4.2 and 2.17.2 is vulnerable to ReDoS. It used a regular expression (^{(,+(?:({,+})),|,(?:({,+})),+)}) in order to detects empty braces. This can cause an impact of about 10 seconds matching time for data 50K characters long.

Publish Date: 2020-07-21

URL: CVE-2018-1109

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1547272

Release Date: 2020-07-21

Fix Resolution: 2.3.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    security vulnerabilitySecurity vulnerability detected by WhiteSource

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions