CVE-2021-21277

{"id": "CVE-2021-21277", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 3.1}]}, "published": "2021-02-01T15:15:13.340", "references": [{"url": "http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html", "tags": ["Broken Link", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/peerigon/angular-expressions/commit/07edb62902b1f6127b3dcc013da61c6316dd0bf1", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/peerigon/angular-expressions/security/advisories/GHSA-j6px-jwvv-vpwq", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.npmjs.com/package/angular-expressions", "tags": ["Product"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "angular-expressions is \"angular's nicest part extracted as a standalone module for the browser and node\". In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call \"expressions.compile(userControlledInput)\" where \"userControlledInput\" is text that comes from user input. The security of the package could be bypassed by using a more complex payload, using a \".constructor.constructor\" technique. In terms of impact: If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution. This is fixed in version 1.1.2 of angular-expressions A temporary workaround might be either to disable user-controlled input that will be fed into angular-expressions in your application or allow only following characters in the userControlledInput."}, {"lang": "es", "value": "angular-expressions son \"angular's nicest part extracted as a standalone module for the browser and node\". En angular-expressions anteriores a la versi\u00f3n 1.1.2, existe una vulnerabilidad que permite una Ejecuci\u00f3n de C\u00f3digo Remota si llama a \"expression.compile(userControlledInput)\" donde \"userControlledInput\" es texto que proviene de la entrada del usuario. La seguridad del paquete podr\u00eda omitirse usando una carga \u00fatil m\u00e1s compleja, utilizando una t\u00e9cnica \".constructor.constructor\". En t\u00e9rminos de impacto: si ejecuta angular-expressions en el navegador, un atacante podr\u00eda ejecutar cualquier script del navegador cuando el c\u00f3digo de la aplicaci\u00f3n llame a expression.compile(userControlledInput). Si ejecuta angular-expressions en el servidor, un atacante podr\u00eda ejecutar cualquier expresi\u00f3n de Javascript, obteniendo as\u00ed una ejecuci\u00f3n de c\u00f3digo remota. Esto se corrigi\u00f3 en la versi\u00f3n 1.1.2 de angular-expressions. Una soluci\u00f3n temporal podr\u00eda ser deshabilitar la entrada controlada por el usuario que se alimentar\u00e1 en angular-expressions en su aplicaci\u00f3n o permitir solo seguir caracteres en el userControlledInput"}], "lastModified": "2022-10-19T19:06:19.997", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:peerigon:angular-expressions:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "EF59E19D-CD5E-4B96-8445-154B8B913012", "versionEndExcluding": "1.1.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}