Vulnerabilities

 1 via 1 paths

Dependencies

 21

Source

 GitHub

Commit

 719ae2c6

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Information Exposure

  • Vulnerable module: log4js
  • Introduced through: log4js@3.0.6

Detailed paths

  • Introduced through: remote-vscode@rafaelmaiolla/remote-vscode#719ae2c66857cb96725221ddd820edd7baf220ea log4js@3.0.6
    Remediation: Upgrade to log4js@6.4.0.

Overview

log4js is a Port of Log4js to work with node.

Affected versions of this package are vulnerable to Information Exposure via the default file permissions for log files that are created by the file, fileSync and dateFile appenders which are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.

Remediation

Upgrade log4js to version 6.4.0 or higher.

References

Information Exposure vulnerability report