This repository has been archived by the owner on Apr 8, 2024. It is now read-only.
CVE-2023-6460 (Medium) detected in firestore-2.1.1.tgz #259
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
CVE-2023-6460 - Medium Severity Vulnerability
Firestore Client Library for Node.js
Library home page: https://registry.npmjs.org/@google-cloud/firestore/-/firestore-2.1.1.tgz
Path to dependency file: /generic-oauth/package.json
Path to vulnerable library: /tmp/git/generic-oauth/node_modules/@google-cloud/firestore/package.json
Dependency Hierarchy:
Found in HEAD commit: 31f5cb63b4ed71bb0a592036c13801d050e24f93
Found in base branch: master
A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue
Publish Date: 2023-12-04
URL: CVE-2023-6460
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-6460
Release Date: 2023-12-04
Fix Resolution (@google-cloud/firestore): 6.2.0
Direct dependency fix Resolution (firebase-admin): 11.1.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: