Description

cypress-image-snapshot shows visual regressions in Cypress with jest-image-snapshot. Prior to version 8.0.2, it's possible for a user to pass a relative file path for the snapshot name and reach outside of the project directory into the machine running the test. This issue has been patched in version 8.0.2.

Remediation

References

https://github.com/simonsmith/cypress-image-snapshot/commit/ef49519795daf5183f4fac6f3136e194f20f39f4

https://github.com/simonsmith/cypress-image-snapshot/issues/15

https://github.com/simonsmith/cypress-image-snapshot/releases/tag/8.0.2

https://github.com/simonsmith/cypress-image-snapshot/security/advisories/GHSA-vxjg-hchx-cc4g

Related Vulnerabilities

CVE-2022-41965 Vulnerability in maven package org.opencastproject:opencast-engage-paella-player

CVE-2019-14439 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2021-29624 Vulnerability in npm package fastify-csrf

CVE-2021-3629 Vulnerability in maven package io.undertow:undertow-core

CVE-2018-8013 Vulnerability in maven package org.eclipse.birt.runtime.3_7_1:org.apache.batik.dom

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Exploit Issue Tracking Third Party Advisory Release Notes Mitigation Vendor Advisory NVD-CWE-noinfo