GitHub_MVULNRICHMENT:CVE-2024-29896CVE-2024-29896 Astro-Shield's Content-Security-Policy header generation in middleware could be compromised by malicious injections
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
yes
Technical Impact
partial
Astro-Shield is a library to compute the subresource integrity hashes for your JS scripts and CSS stylesheets. When automated CSP headers generation for SSR content is enabled and the web application serves content that can be partially controlled by external users, then it is possible that the CSP headers generation feature might be “allow-listing” malicious injected resources like inlined JS, or references to external malicious scripts. The fix is available in version 1.3.0.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:kindspells:astro-shield:1.2.0:*:*:*:*:*:*:*"
],
"vendor": "kindspells",
"product": "astro-shield",
"versions": [
{
"status": "affected",
"version": "1.2.0",
"lessThan": "1.3.0",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
yes
Technical Impact
partial