GHSA-27v7-qhfv-rqq8

Опубликовано: 30 мая 2019

Источник: github

Github: Прошло ревью

CVSS3: 3.3

Описание

Insecure Credential Storage in web3

All versions of web3 are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key.

Recommendation

No fix is currently available. Consider using an alternative module until a fix is made available.

Ссылки

https://github.com/ethereum/web3.js/issues/2739
https://snyk.io/vuln/SNYK-JS-WEB3-174533
https://www.npmjs.com/advisories/877

Пакеты

Наименование

web3

npm

Затронутые версииВерсия исправления

<= 1.5.2

Отсутствует

3.3 Low

CVSS3

3.3 Low

CVSS3