Closed
Description
GHSA-q674-xm3x-2926 - High Severity Vulnerability
Vulnerable Library - parse-link-header@1.0.1
Parses a link header and returns paging information for each contained link.
Library home page: https://www.npmjs.com/package/parse-link-header
Dependency Hierarchy:
- @osd/test@1.0.0 (Root Library)
- ❌ parse-link-header@1.0.1 (Vulnerable Library)
$ npm ls parse-link-header
opensearch-dashboards@2.0.0 /home/ubuntu/ws/OpenSearch-Dashboards
└─┬ @osd/test@1.0.0 -> /home/ubuntu/ws/OpenSearch-Dashboards/packages/osd-test
└── parse-link-header@1.0.1
$ yarn why parse-link-header
yarn why v1.22.17
[1/4] Why do we have the module "parse-link-header"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.4.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "parse-link-header@1.0.1"
info Reasons this module exists
- "_project_#@osd#test" depends on it
- Hoisted from "_project_#@osd#test#parse-link-header"
info Disk size without dependencies: "44KB"
info Disk size with unique dependencies: "72KB"
info Disk size with transitive dependencies: "72KB"
info Number of shared dependencies: 1
Done in 1.85s.
Found in base branch: main
Vulnerability Details
The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function.
Publish Date: 2021-12-24
URL: CVE-2021-23490
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: thlorenz/parse-link-header#25
Release Date: 2022-01-06
Fix Resolution: parse-link-header - 2.0.0
Metadata
Assignees
Labels
No labels