GHSA-pv55-r6j3-wp94 – eslint-config-eslint

Package

Manager: npm
Name: eslint-config-eslint
Vulnerable Version: =5.0.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Malicious Package in eslint-config-eslint Version 5.0.2 of `eslint-config-eslint` was published without authorization and was found to contain malicious code. This code would read the users `.npmrc` file and send any found authentication tokens to a remote server. ## Recommendation The best course of action if you found this package installed in your environment is to revoke all your npm tokens. You can find instructions on how to do that here. https://docs.npmjs.com/getting-started/working_with_tokens#how-to-revoke-tokens Users may consider downgrading to version 5.0.1

Metadata

Created: 2020-09-01T20:45:57Z
Modified: 2023-07-27T00:04:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-pv55-r6j3-wp94/GHSA-pv55-r6j3-wp94.json
CWE IDs: []
Alternative ID: N/A
Finding: F096
Auto approve: 1