GHSA-hxxf-q3w9-4xgw

Опубликовано: 12 июл. 2018

Источник: github

Github: Прошло ревью

CVSS3: 9.1

Описание

Malicious Package in eslint-scope

Version 3.7.2 of eslint-scope was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to 2 remote servers.

Recommendation

The best course of action if you found this package installed in your environment is to revoke all your npm tokens. You can find instructions on how to do that here. https://docs.npmjs.com/getting-started/working_with_tokens#how-to-revoke-tokens

Ссылки

https://github.com/eslint/eslint-scope/issues/39
https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
https://github.com/advisories/GHSA-hxxf-q3w9-4xgw
https://snyk.io/vuln/SNYK-JS-ESLINTSCOPE-11120
https://www.npmjs.com/advisories/673

Пакеты

Наименование

eslint-scope

npm

Затронутые версииВерсия исправления

= 3.7.2

3.7.3

Наименование

eslint-config-eslint

npm

Затронутые версииВерсия исправления

= 5.0.2

6.0.0

9.1 Critical

CVSS3

Дефекты

CWE-506

9.1 Critical

CVSS3

Дефекты

CWE-506