CVE-2018-1109 (High) detected in braces-1.8.5.tgz, braces-0.1.5.tgz

## CVE-2018-1109 - High Severity Vulnerability
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Libraries - braces-1.8.5.tgz, braces-0.1.5.tgz</summary>


<details><summary>braces-1.8.5.tgz</summary>

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.
Library home page: <a href="https://registry.npmjs.org/braces/-/braces-1.8.5.tgz">https://registry.npmjs.org/braces/-/braces-1.8.5.tgz</a>
Path to dependency file: recursos.osweekends.com/client/package.json
Path to vulnerable library: recursos.osweekends.com/client/node_modules/http-proxy-middleware/node_modules/braces/package.json


Dependency Hierarchy:
 - karma-1.7.1.tgz (Root Library)
 - chokidar-1.7.0.tgz
 - anymatch-1.3.2.tgz
 - micromatch-2.3.11.tgz
 - :x: **braces-1.8.5.tgz** (Vulnerable Library)
</details>
<details><summary>braces-0.1.5.tgz</summary>

Fastest brace expansion lib. Typically used with file paths, but can be used with any string. Expands comma-separated values (e.g. `foo/{a,b,c}/bar`) and alphabetical or numerical ranges (e.g. `{1..9}`)
Library home page: <a href="https://registry.npmjs.org/braces/-/braces-0.1.5.tgz">https://registry.npmjs.org/braces/-/braces-0.1.5.tgz</a>
Path to dependency file: recursos.osweekends.com/client/package.json
Path to vulnerable library: recursos.osweekends.com/client/node_modules/expand-braces/node_modules/braces/package.json


Dependency Hierarchy:
 - karma-1.7.1.tgz (Root Library)
 - expand-braces-0.1.2.tgz
 - :x: **braces-0.1.5.tgz** (Vulnerable Library)
</details>

Found in HEAD commit: <a href="https://github.com/OSWeekends/recursos.osweekends.com/commit/6352e0210f400c446da6f7bbb941ec356ceec84f">6352e0210f400c446da6f7bbb941ec356ceec84f</a>

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png' width=19 height=20> Vulnerability Details</summary>
 
 
Braces before 1.4.2 and 2.17.2 is vulnerable to ReDoS. It used a regular expression (^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}) in order to detects empty braces. This can cause an impact of about 10 seconds matching time for data 50K characters long.

Publish Date: 2020-07-21
URL: <a href=https://vuln.whitesourcesoftware.com/vulnerability/CVE-2018-1109>CVE-2018-1109</a>

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS 3 Score Details (7.5)</summary>


Base Score Metrics:
- Exploitability Metrics:
 - Attack Vector: Network
 - Attack Complexity: Low
 - Privileges Required: None
 - User Interaction: None
 - Scope: Unchanged
- Impact Metrics:
 - Confidentiality Impact: None
 - Integrity Impact: None
 - Availability Impact: High

For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>.

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20> Suggested Fix</summary>


Type: Upgrade version
Origin: <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1547272">https://bugzilla.redhat.com/show_bug.cgi?id=1547272</a>
Release Date: 2020-07-21
Fix Resolution: 2.3.1


</details>


***
Step up your Open Source Security Game with WhiteSource [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE-2018-1109 (High) detected in braces-1.8.5.tgz, braces-0.1.5.tgz #193

CVE-2018-1109 - High Severity Vulnerability

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2018-1109 (High) detected in braces-1.8.5.tgz, braces-0.1.5.tgz #193

Description

CVE-2018-1109 - High Severity Vulnerability

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions