SCA: security update for class-validator (GHSA-fj58-h2fr-3pp2)

critical Tenable Self-Hosted Container Security Plugin ID 414545

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal
attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues
parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most
developers configure input validation in the vulnerable default manner. With this vulnerability, attackers
can launch SQL Injection or XSS attacks by injecting arbitrary malicious input. NOTE: a software
maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for
the risk lies in a different product. (CVE-2019-18413)

Plugin Details

Severity: Critical

ID: 414545

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 8/19/2025

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-18413

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/12/2021

Vulnerability Publication Date: 10/24/2019

Reference Information

CVE: CVE-2019-18413

cwe: CWE-79, CWE-89

Detections

Analytics