Information Exposure

Affecting parcel package, versions <1.10.0

Do your applications use this vulnerable package? Test your applications

Overview

parcel is a web application bundler.

Affected versions of this package are vulnerable to Information Exposure. A malicious user was able to steal user's code as the origin of requests wasn't checked by websocket server, as long as they share the same network.

Remediation

Upgrade parcel to version 1.10 or higher.

References

CVSS Score

3.1
low severity
  • Attack Vector
    Adjacent
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Credit
chromium1337
CVE
CVE-2018-14731
CWE
CWE-200
Snyk ID
SNYK-JS-PARCEL-72403
Disclosed
21 Sep, 2018
Published
26 Sep, 2018