Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRmYzQtY2hnNy1oOGdo
Unprotected dynamically loaded chunks
Impact
All dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-level chunks are unaffected.
Patches
This issue is patched in version 1.5.1.
Workarounds
N/A
References
https://github.com/waysact/webpack-subresource-integrity/issues/131
For more information
If you have any questions or comments about this advisory:
- Comment on webpack-subresource-integrity issue #131
- Or email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRmYzQtY2hnNy1oOGdo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-4fc4-chg7-h8gh, CVE-2020-15262
References:
- https://github.com/waysact/webpack-subresource-integrity/security/advisories/GHSA-4fc4-chg7-h8gh
- https://github.com/waysact/webpack-subresource-integrity/issues/131
- https://github.com/waysact/webpack-subresource-integrity/commit/3d7090c08c333fcfb10ad9e2d6cf72e2acb7d87f
- https://nvd.nist.gov/vuln/detail/CVE-2020-15262
- https://github.com/advisories/GHSA-4fc4-chg7-h8gh
Blast Radius: 21.5
Affected Packages
npm:webpack-subresource-integrity
Dependent packages: 172Dependent repositories: 649,528
Downloads: 12,747,046 last month
Affected Version Ranges: < 1.5.1
Fixed in: 1.5.1
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.5.0
All unaffected versions: 1.5.1, 1.5.2, 5.0.0, 5.1.0