Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (node-sass version) |
Remediation Available |
CVE-2018-19827 |
High |
8.8 |
node-sass-9.0.0.tgz |
Direct |
N/A |
❌ |
CVE-2018-11694 |
High |
8.8 |
node-sass-9.0.0.tgz |
Direct |
N/A |
❌ |
CVE-2018-11698 |
High |
8.1 |
node-sass-9.0.0.tgz |
Direct |
node-sass - 4.14.0 |
✅ |
CVE-2019-6286 |
Medium |
6.5 |
node-sass-9.0.0.tgz |
Direct |
N/A |
❌ |
CVE-2018-20190 |
Medium |
6.5 |
node-sass-9.0.0.tgz |
Direct |
N/A |
❌ |
CVE-2018-20821 |
Medium |
6.5 |
node-sass-9.0.0.tgz |
Direct |
Replace or update the following files: util_string.cpp, util_string.hpp, parser.hpp, parser.cpp |
❌ |
CVE-2018-19839 |
Medium |
6.5 |
node-sass-9.0.0.tgz |
Direct |
Replace or update the following files: checked.h, core.h |
❌ |
CVE-2019-6283 |
Medium |
6.5 |
node-sass-9.0.0.tgz |
Direct |
N/A |
❌ |
CVE-2018-19797 |
Medium |
6.5 |
node-sass-9.0.0.tgz |
Direct |
N/A |
❌ |
Details
CVE-2018-19827
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-12-03
URL: CVE-2018-19827
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2018-11694
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11694
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2018-11698
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11698
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r5m8-frrg-389w
Release Date: 2018-06-04
Fix Resolution: node-sass - 4.14.0
⛑️ Automatic Remediation is available for this issue
CVE-2019-6286
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.
Publish Date: 2019-01-14
URL: CVE-2019-6286
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2018-20190
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-17
URL: CVE-2018-20190
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2018-20821
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).
Publish Date: 2019-04-23
URL: CVE-2018-20821
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Change files
Release Date: 2019-04-15
Fix Resolution: Replace or update the following files: util_string.cpp, util_string.hpp, parser.hpp, parser.cpp
CVE-2018-19839
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.
Publish Date: 2018-12-04
URL: CVE-2018-19839
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Change files
Release Date: 2018-11-28
Fix Resolution: Replace or update the following files: checked.h, core.h
CVE-2019-6283
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.
Publish Date: 2019-01-14
URL: CVE-2019-6283
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2018-19797
Vulnerable Library - node-sass-9.0.0.tgz
Library home page: https://registry.npmjs.org/node-sass/-/node-sass-9.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-sass/package.json
Dependency Hierarchy:
- ❌ node-sass-9.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-03
URL: CVE-2018-19797
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
⛑️ Automatic Remediation is available for this issue.