Lucene search

GoogleOSV:CVE-2022-36036

HistoryAug 29, 2022 - 6:15 p.m.

CVE-2022-36036

2022-08-2918:15:09

Google

osv.dev

mdx-mermaid

vulnerability

javascript injection

patch

mdxjs

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.001

Percentile

17.8%

JSON

mdx-mermaid provides plug and play access to Mermaid in MDX. There is a potential for an arbitrary javascript injection in versions less than 1.3.0 and 2.0.0-rc1. Modify any mermaid code blocks with arbitrary code and it will execute when the component is loaded by MDXjs. This vulnerability was patched in version(s) 1.3.0 and 2.0.0-rc2. There are currently no known workarounds.

References

github.com/sjwall/mdx-mermaid/commit/f2b99386660fd13316823529c3f1314ebbcdfd2a

github.com/sjwall/mdx-mermaid/security/advisories/GHSA-rvgm-35jw-q628

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.001

Percentile

17.8%

JSON

Related for OSV:CVE-2022-36036