From 59278080da39a6e4d44209da7d4042ce55daa126 Mon Sep 17 00:00:00 2001 From: Alshime <121425995+Alshime@users.noreply.github.com> Date: Thu, 24 Oct 2024 19:32:53 +0300 Subject: [PATCH] Improve GHSA-8j8c-7jfh-h6hx --- .../GHSA-8j8c-7jfh-h6hx/GHSA-8j8c-7jfh-h6hx.json | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/advisories/github-reviewed/2019/06/GHSA-8j8c-7jfh-h6hx/GHSA-8j8c-7jfh-h6hx.json b/advisories/github-reviewed/2019/06/GHSA-8j8c-7jfh-h6hx/GHSA-8j8c-7jfh-h6hx.json index 5a8a4baf2a901..64593cde112a0 100644 --- a/advisories/github-reviewed/2019/06/GHSA-8j8c-7jfh-h6hx/GHSA-8j8c-7jfh-h6hx.json +++ b/advisories/github-reviewed/2019/06/GHSA-8j8c-7jfh-h6hx/GHSA-8j8c-7jfh-h6hx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8j8c-7jfh-h6hx", - "modified": "2020-08-31T18:36:43Z", + "modified": "2023-11-29T20:43:52Z", "published": "2019-06-04T20:14:07Z", "aliases": [ @@ -9,7 +9,10 @@ "summary": "Code Injection in js-yaml", "details": "Versions of `js-yaml` prior to 3.13.1 are vulnerable to Code Injection. The `load()` function may execute arbitrary code injected through a malicious YAML file. Objects that have `toString` as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the `load()` function. The `safeLoad()` function is unaffected.\n\nAn example payload is \n`{ toString: ! 'function (){return Date.now()}' } : 1` \nwhich returns the object \n{\n \"1553107949161\": 1\n}\n\n\n## Recommendation\n\nUpgrade to version 3.13.1.", "severity": [ - + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N" + } ], "affected": [ { @@ -17,11 +20,6 @@ "ecosystem": "npm", "name": "js-yaml" }, - "ecosystem_specific": { - "affected_functions": [ - "(js-yaml).load" - ] - }, "ranges": [ { "type": "ECOSYSTEM", @@ -55,7 +53,7 @@ "cwe_ids": [ "CWE-94" ], - "severity": "HIGH", + "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2019-06-04T20:13:53Z", "nvd_published_at": null