Lucene search

GitHub_MCVELIST:CVE-2021-21412

HistoryMar 30, 2021 - 5:40 p.m.

CVE-2021-21412 [thi.ng/egf] Potential arbitrary code execution of `#gpg`-tagged property values

2021-03-3017:40:15

CWE-78

GitHub_M

www.cve.org

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

9.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.2%

JSON

Potential for arbitrary code execution in npm package @thi.ng/egf #gpg-tagged property values (only if decrypt: true option is enabled). PR with patch has been submitted and will has been released as of v0.4.0 By default the EGF parse functions do NOT attempt to decrypt values (since GPG only available in non-browser env). However, if GPG encrypted values are used/required: 1. Perform a regex search for #gpg-tagged values in the EGF source file/string and check for backtick (`) chars in the encrypted value string 2. Replace/remove them or skip parsing if present.

CNA Affected

[
  {
    "product": "egf",
    "vendor": "thi-ng",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.4.0"
      }
    ]
  }
]

References

github.com/thi-ng/umbrella/blob/develop/packages/egf/CHANGELOG.md#040-2021-03-27

github.com/thi-ng/umbrella/commit/88f61656e5f5cfba960013b8133186389efaf243

github.com/thi-ng/umbrella/security/advisories/GHSA-rj44-gpjc-29r7

www.npmjs.com/package/%40thi.ng/egf

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

9.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.2%

JSON

Related for CVELIST:CVE-2021-21412