Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWd3Zzktcmd2ai00aDVq
Code Injection in morgan
Verisons of morgan before 1.9.1 are vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack.
Recommendation
Update to version 1.9.1 or later.
Permalink: https://github.com/advisories/GHSA-gwg9-rgvj-4h5jJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWd3Zzktcmd2ai00aDVq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 5 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00578
EPSS Percentile: 0.78518
Identifiers: GHSA-gwg9-rgvj-4h5j, CVE-2019-5413
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-5413
- https://hackerone.com/reports/390881
- https://github.com/advisories/GHSA-gwg9-rgvj-4h5j
- https://github.com/nodejs/security-wg/blob/master/vuln/npm/473.json
- https://www.npmjs.com/advisories/736
- https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E
- https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E
Affected Packages
npm:morgan
Dependent packages: 8,657Dependent repositories: 986,048
Downloads: 20,891,041 last month
Affected Version Ranges: < 1.9.1
Fixed in: 1.9.1
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.9.0
All unaffected versions: 1.9.1, 1.10.0