6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
52.2%
Potential for arbitrary code execution in #gpg
-tagged property values (only if decrypt: true
option is enabled)
A fix has already been released as v0.4.0
By default, EGF parse functions do NOT attempt to decrypt values (since GPG is only available in non-browser env).
However, if GPG encrypted values are used/required:
#gpg
-tagged values in the EGF source file/string and check for backtick (`) chars in the encrypted value stringhttps://github.com/thi-ng/umbrella/security/advisories/GHSA-rj44-gpjc-29r7#advisory-comment-65261
If you have any questions or comments about this advisory, please open an issue in the thi.ng/umbrella repo, of which this package is part of.
CPE | Name | Operator | Version |
---|---|---|---|
@thi.ng/egf | lt | 0.4.0 |
github.com/advisories/GHSA-rj44-gpjc-29r7
github.com/thi-ng/umbrella/blob/develop/packages/egf/CHANGELOG.md#040-2021-03-27
github.com/thi-ng/umbrella/commit/88f61656e5f5cfba960013b8133186389efaf243
github.com/thi-ng/umbrella/security/advisories/GHSA-rj44-gpjc-29r7
nvd.nist.gov/vuln/detail/CVE-2021-21412
www.npmjs.com/package/@thi.ng/egf
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
52.2%