Lucene search

GitHub_MCVELIST:CVE-2021-21278

HistoryJan 26, 2021 - 8:25 p.m.

CVE-2021-21278 Risk of code injection in RSSHub

2021-01-2620:25:15

CWE-74

GitHub_M

www.cve.org

cve-2021-21278

code injection

rsshub

open source

rss feed generator

security issues

fix

version 7f1c430

eslint rule

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

0.006

Percentile

78.8%

JSON

RSSHub is an open source, easy to use, and extensible RSS feed generator. In RSSHub before version 7f1c430 (non-semantic versioning) there is a risk of code injection. Some routes use eval or Function constructor, which may be injected by the target site with unsafe code, causing server-side security issues The fix in version 7f1c430 is to temporarily remove the problematic route and added a no-new-func rule to eslint.

CNA Affected

[
  {
    "product": "RSSHub",
    "vendor": "DIYgod",
    "versions": [
      {
        "status": "affected",
        "version": "< 7f1c430"
      }
    ]
  }
]

References

github.com/DIYgod/RSSHub/commit/7f1c43094e8a82e4d8f036ff7d42568fed00699d

github.com/DIYgod/RSSHub/security/advisories/GHSA-pgjj-866w-fc5c

www.npmjs.com/package/rsshub

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

0.006

Percentile

78.8%

JSON

Related for CVELIST:CVE-2021-21278