CVE-2017-16226

{"id": "CVE-2017-16226", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": true, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2018-06-07T02:29:07.800", "references": [{"url": "https://github.com/substack/static-eval/pull/18", "tags": ["Patch", "Third Party Advisory"], "source": "support@hackerone.com"}, {"url": "https://maustin.net/articles/2017-10/static_eval", "tags": ["Third Party Advisory"], "source": "support@hackerone.com"}, {"url": "https://nodesecurity.io/advisories/548", "tags": ["Exploit", "Third Party Advisory"], "source": "support@hackerone.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "support@hackerone.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution."}, {"lang": "es", "value": "El m\u00f3dulo static-eval est\u00e1 dise\u00f1ado para evaluar expresiones analizables de forma est\u00e1tica. En las versiones afectadas, las entradas de usuario no fiables pueden acceder al constructor de funci\u00f3n global, lo que permitir\u00eda la ejecuci\u00f3n de c\u00f3digo arbitrario."}], "lastModified": "2019-10-09T23:24:59.923", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:static-eval_project:static-eval:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "279E9C4A-4AB5-48D2-9693-FC2E165B9F81", "versionEndExcluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}