EIQ-2019-0033#
ID |
EIQ-2019-0033 |
|---|---|
CVE |
|
Description |
eslint-utils enables arbitrary code execution |
Date |
04 Sep 2019 |
Severity |
4 - CRITICAL |
CVSSv3 score |
9.8 |
Status |
✅ All versions |
Assessment |
eslint-utils versions 1.2.0 until 1.4.0 included could enable an attacker to inject malicious input by exploiting a vulnerability through the The vulnerability does not affect the An attacker could inject malicious input by passing it as an argument of the This could enable an attacker to remotely execute arbitrary code on the targeted system during the linting process. Note This vulnerability is a false positive: it affects only users that run ESLint on untrusted source code. No EclecticIQ Platform release is affected, because we lint code internally, and we do not allow untrusted sources. Therefore, there is no exposure surface to exploit the vulnerability in the platform. |
Mitigation |
Upgrade eslint-utils to version 1.4.1 or later, as per vendor’s recommendation. Note We test direct dependencies by scanning fixed builds, and then by checking the corresponding vulnerability reports to verify that they no longer include the addressed vulnerabilities. At the moment, there is no way to reliably test indirect dependencies. |
Affected versions |
None |
Notes |
For more information, see: |