CVE-2018-20801 - High Severity Vulnerability
Vulnerable Library - highcharts.src-4.0.1.js
Highcharts is a charting library written in pure JavaScript, offering an easy way of adding interactive charts to your web site or web application. Highcharts currently supports line, spline, area, areaspline, column, bar, pie and scatter chart types. Highcharts is NOT free for commercial use. See the license here: http://highcharts.com/license
Library home page: https://cdnjs.cloudflare.com/ajax/libs/highcharts/4.0.1/highcharts.src.js
Path to dependency file: /rubycritic/code_index.html
Path to vulnerable library: /rubycritic/assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/charts/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/seek/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/well-formed/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/ruby-eclipse-cheatsheets-to-dita/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/hashcheck/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/built-in-datatypes/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/scrapers/ruby/nokogiri/../../../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/ruby-strip/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/drivers/../assets/vendor/javascripts/highcharts.src-4.0.1.js
Dependency Hierarchy:
- ❌ highcharts.src-4.0.1.js (Vulnerable Library)
Found in HEAD commit: 8dbdb4a1170502df116e35d16ab172d26c02609e
Found in base branch: main
Vulnerability Details
In js/parts/SvgRenderer.js in Highcharts JS before 6.1.0, the use of backtracking regular expressions permitted an attacker to conduct a denial of service attack against the SVGRenderer component, aka ReDoS.
Publish Date: 2019-03-14
URL: CVE-2018-20801
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20801
Release Date: 2019-03-14
Fix Resolution: 6.1.0
Step up your Open Source Security Game with Mend here
CVE-2018-20801 - High Severity Vulnerability
Highcharts is a charting library written in pure JavaScript, offering an easy way of adding interactive charts to your web site or web application. Highcharts currently supports line, spline, area, areaspline, column, bar, pie and scatter chart types. Highcharts is NOT free for commercial use. See the license here: http://highcharts.com/license
Library home page: https://cdnjs.cloudflare.com/ajax/libs/highcharts/4.0.1/highcharts.src.js
Path to dependency file: /rubycritic/code_index.html
Path to vulnerable library: /rubycritic/assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/charts/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/seek/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/well-formed/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/ruby-eclipse-cheatsheets-to-dita/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/hashcheck/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/built-in-datatypes/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/scrapers/ruby/nokogiri/../../../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/ruby-strip/../assets/vendor/javascripts/highcharts.src-4.0.1.js,/rubycritic/drivers/../assets/vendor/javascripts/highcharts.src-4.0.1.js
Dependency Hierarchy:
Found in HEAD commit: 8dbdb4a1170502df116e35d16ab172d26c02609e
Found in base branch: main
In js/parts/SvgRenderer.js in Highcharts JS before 6.1.0, the use of backtracking regular expressions permitted an attacker to conduct a denial of service attack against the SVGRenderer component, aka ReDoS.
Publish Date: 2019-03-14
URL: CVE-2018-20801
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20801
Release Date: 2019-03-14
Fix Resolution: 6.1.0
Step up your Open Source Security Game with Mend here