CVE-2019-6286 (Medium) detected in opennms-opennms-source-24.1.3-1 #98
Description
CVE-2019-6286 - Medium Severity Vulnerability
Vulnerable Library - opennmsopennms-source-24.1.3-1
A Java based fault and performance management system
Library home page: https://sourceforge.net/projects/opennms/
Found in HEAD commit: 670af802c8765372e61dfe079d47c38298f173e4
Library Source Files (78)
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
- /facecreator/node_modules/console-stream/test/static/test-adapter.js
- /facecreator/node_modules/nan/nan_callbacks_pre_12_inl.h
- /facecreator/node_modules/node-sass/src/libsass/src/expand.hpp
- /facecreator/node_modules/node-sass/src/libsass/src/expand.cpp
- /facecreator/node_modules/node-sass/src/sass_types/factory.cpp
- /facecreator/node_modules/js-base64/.attic/test-moment/./yoshinoya.js
- /facecreator/node_modules/node-sass/src/sass_types/boolean.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/util.hpp
- /facecreator/node_modules/node-sass/src/sass_types/value.h
- /facecreator/node_modules/node-sass/src/libsass/src/emitter.hpp
- /facecreator/node_modules/nan/nan_converters_pre_43_inl.h
- /facecreator/node_modules/node-sass/src/callback_bridge.h
- /facecreator/node_modules/node-sass/src/libsass/src/file.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/sass.cpp
- /facecreator/node_modules/nan/nan_persistent_12_inl.h
- /facecreator/node_modules/node-sass/src/libsass/src/operation.hpp
- /facecreator/node_modules/nan/nan_persistent_pre_12_inl.h
- /facecreator/node_modules/node-sass/src/libsass/src/operators.hpp
- /facecreator/node_modules/node-sass/src/libsass/src/constants.hpp
- /facecreator/node_modules/node-sass/src/libsass/src/error_handling.hpp
- /facecreator/node_modules/nan/nan_implementation_pre_12_inl.h
- /facecreator/node_modules/js-base64/.attic/test-moment/./dankogai.js
- /facecreator/node_modules/node-sass/src/custom_importer_bridge.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/parser.hpp
- /facecreator/node_modules/node-sass/src/libsass/src/constants.cpp
- /facecreator/node_modules/node-sass/src/sass_types/list.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/cssize.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/functions.hpp
- /facecreator/node_modules/node-sass/src/libsass/src/util.cpp
- /facecreator/node_modules/node-sass/src/custom_function_bridge.cpp
- /facecreator/node_modules/nan/nan_typedarray_contents.h
- /facecreator/node_modules/node-sass/src/custom_importer_bridge.h
- /facecreator/node_modules/node-sass/src/libsass/src/bind.cpp
- /facecreator/node_modules/nan/nan_json.h
- /facecreator/node_modules/node-sass/src/libsass/src/eval.hpp
- /facecreator/node_modules/nan/nan_converters.h
- /facecreator/node_modules/node-sass/src/libsass/src/backtrace.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/extend.cpp
- /facecreator/node_modules/node-sass/src/sass_context_wrapper.h
- /facecreator/node_modules/node-sass/src/sass_types/sass_value_wrapper.h
- /facecreator/node_modules/node-sass/src/libsass/src/error_handling.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/debugger.hpp
- /facecreator/node_modules/node-sass/src/libsass/src/emitter.cpp
- /facecreator/node_modules/node-sass/src/sass_types/number.cpp
- /facecreator/node_modules/node-sass/src/sass_types/color.h
- /facecreator/node_modules/nan/nan_new.h
- /facecreator/node_modules/node-sass/src/libsass/src/sass_values.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/ast.hpp
- /facecreator/node_modules/node-sass/src/libsass/src/output.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/check_nesting.cpp
- /facecreator/node_modules/node-sass/src/sass_types/null.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/ast_def_macros.hpp
- /facecreator/node_modules/node-sass/src/libsass/src/functions.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/cssize.hpp
- /facecreator/node_modules/node-sass/src/libsass/src/prelexer.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/ast.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/to_c.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/to_value.hpp
- /facecreator/node_modules/node-sass/src/libsass/src/ast_fwd_decl.hpp
- /facecreator/node_modules/nan/nan_callbacks.h
- /facecreator/node_modules/node-sass/src/libsass/src/inspect.hpp
- /facecreator/node_modules/node-sass/src/sass_types/color.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/values.cpp
- /facecreator/node_modules/node-sass/src/sass_context_wrapper.cpp
- /facecreator/node_modules/node-sass/src/sass_types/list.h
- /facecreator/node_modules/node-sass/src/libsass/src/check_nesting.hpp
- /facecreator/node_modules/nan/nan_define_own_property_helper.h
- /facecreator/node_modules/js-base64/test/./es5.js
- /facecreator/node_modules/node-sass/src/sass_types/map.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/to_value.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/context.cpp
- /facecreator/node_modules/node-sass/src/sass_types/string.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/sass_context.cpp
- /facecreator/node_modules/node-sass/src/libsass/src/prelexer.hpp
- /facecreator/node_modules/node-sass/src/libsass/src/context.hpp
- /facecreator/node_modules/node-sass/src/sass_types/boolean.h
- /facecreator/node_modules/nan/nan_private.h
- /facecreator/node_modules/node-sass/src/libsass/src/eval.cpp
Vulnerability Details
In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.
Publish Date: 2019-01-14
URL: CVE-2019-6286
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6286
Release Date: 2019-08-06
Fix Resolution: 3.6.0
Step up your Open Source Security Game with WhiteSource here