GHSA-vc9j-fhvv-8vrf

Source

https://github.com/advisories/GHSA-vc9j-fhvv-8vrf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-vc9j-fhvv-8vrf/GHSA-vc9j-fhvv-8vrf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vc9j-fhvv-8vrf

Aliases

CVE-2020-14000

Published

2020-07-27T19:55:52Z

Modified

2023-11-08T04:02:24.878433Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Remote Code Execution in scratch-vm

Details

MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain _ characters, resulting in remote code execution because the URL's content is treated as a script and is executed as a worker. The responsible code is getExtensionIdForOpcode in serialization/sb3.js. The use of _ is incompatible with a protection mechanism in older versions, in which URLs were split and consequently deserialization attacks were prevented.

NOTE: the scratch.mit.edu hosted service is not affected because of the lack of worker scripts.

Database specific

{
    "github_reviewed_at": "2020-07-27T19:53:24Z",
    "github_reviewed": true,
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "CRITICAL"
}

References

Affected packages

npm / scratch-vm

Package

Name: scratch-vm; View open source insights on deps.dev
Purl: pkg:npm/scratch-vm

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.2.0-prerelease.20200714185213

Database specific

{
    "last_known_affected_version_range": "<= 0.2.0-prerelease.20200709173451"
}