SNYK-JS-FINDMYWAY-1038269

SNYK-JS-FINDMYWAY-1038269 PUBLISHED CVSS 5.900000095367432 MEDIUM

## Overview Affected versions of this package are vulnerable to Web Cache Poisoning. It accepts the `Accept-Version` header by default, and if versioned routes are not being used, this could lead to a denial of service. `Accept-Version` can be used as an unkeyed header in a cache poisoning attack. ## Remediation Upgrade `find-my-way` to version 2.2.5, 3.0.5 or higher. ## References - [Fastify README](https://github.com/fastify/fastify/pull/2679) - [GitHub Commit](https://github.com/delvedor/find-my-way/commit/ab408354690e6b9cf3c4724befb3b3fa4bb90aac) - [Web Cache Poisoning - Snyk Research Blog](https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/)

Risk Scores

CVSS v3.1

5.900000095367432

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C

Affected Products

Vendor	Product	Versions
		0

Timeline

Nov 3, 2020 CVE Updated
Nov 8, 2020 CVE Published

References

https://security.snyk.io/vuln/SNYK-JS-FINDMYWAY-1038269 advisory
https://github.com/fastify/fastify/pull/2679 patch
https://github.com/delvedor/find-my-way/commit/ab408354690e6b9cf3c4724befb3b3fa4bb90aac patch
https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/ technical

Open in Interactive Console →