CVE-2020-28503 (High) detected in copy-props-2.0.1.tgz, copy-props2.0.1

[mend-bolt-for-github]

CVE-2020-28503 - High Severity Vulnerability

Vulnerable Libraries - copy-props-2.0.1.tgz, copy-props2.0.1

copy-props-2.0.1.tgz

Copy properties deeply between two objects.

Library home page: https://registry.npmjs.org/copy-props/-/copy-props-2.0.1.tgz

Path to dependency file: mws-restaurant-stage-1/package.json

Path to vulnerable library: mws-restaurant-stage-1/node_modules/copy-props/package.json

Dependency Hierarchy:

• gulp-cli-2.3.0.tgz (Root Library)
  • ❌ copy-props-2.0.1.tgz (Vulnerable Library)

Found in HEAD commit: e2dde5f3afe23a1b7f6c9aa592927b2b79aea76f

Found in base branch: master

Vulnerability Details

The package copy-props before 2.0.5 are vulnerable to Prototype Pollution via the main functionality.

Publish Date: 2021-03-23

URL: CVE-2020-28503

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/gulpjs/copy-props/releases/tag/2.0.5

Release Date: 2021-03-23

Fix Resolution: copy-props - 2.0.5

---

Step up your Open Source Security Game with WhiteSource here