Search criteria
3 vulnerabilities found for static-eval by static-eval_project
FKIE_CVE-2017-16226
Vulnerability from fkie_nvd - Published: 2018-06-07 02:29 - Updated: 2024-11-21 03:16
Severity ?
Summary
The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution.
References
| URL | Tags | ||
|---|---|---|---|
| support@hackerone.com | https://github.com/substack/static-eval/pull/18 | Patch, Third Party Advisory | |
| support@hackerone.com | https://maustin.net/articles/2017-10/static_eval | Third Party Advisory | |
| support@hackerone.com | https://nodesecurity.io/advisories/548 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/substack/static-eval/pull/18 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://maustin.net/articles/2017-10/static_eval | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nodesecurity.io/advisories/548 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| static-eval_project | static-eval | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:static-eval_project:static-eval:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "279E9C4A-4AB5-48D2-9693-FC2E165B9F81",
"versionEndExcluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution."
},
{
"lang": "es",
"value": "El m\u00f3dulo static-eval est\u00e1 dise\u00f1ado para evaluar expresiones analizables de forma est\u00e1tica. En las versiones afectadas, las entradas de usuario no fiables pueden acceder al constructor de funci\u00f3n global, lo que permitir\u00eda la ejecuci\u00f3n de c\u00f3digo arbitrario."
}
],
"id": "CVE-2017-16226",
"lastModified": "2024-11-21T03:16:04.520",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-06-07T02:29:07.800",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/substack/static-eval/pull/18"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://maustin.net/articles/2017-10/static_eval"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://nodesecurity.io/advisories/548"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/substack/static-eval/pull/18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://maustin.net/articles/2017-10/static_eval"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://nodesecurity.io/advisories/548"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2017-16226 (GCVE-0-2017-16226)
Vulnerability from cvelistv5 – Published: 2018-06-07 02:00 – Updated: 2024-09-16 16:38
VLAI?
Summary
The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution.
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation (CWE-20)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HackerOne | static-eval node module node module |
Affected:
<=1.1.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:20:04.929Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/548"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://maustin.net/articles/2017-10/static_eval"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/substack/static-eval/pull/18"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "static-eval node module node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c=1.1.1"
}
]
}
],
"datePublic": "2018-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-07T01:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodesecurity.io/advisories/548"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://maustin.net/articles/2017-10/static_eval"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/substack/static-eval/pull/18"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2017-16226",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "static-eval node module node module",
"version": {
"version_data": [
{
"version_value": "\u003c=1.1.1"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation (CWE-20)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodesecurity.io/advisories/548",
"refsource": "MISC",
"url": "https://nodesecurity.io/advisories/548"
},
{
"name": "https://maustin.net/articles/2017-10/static_eval",
"refsource": "MISC",
"url": "https://maustin.net/articles/2017-10/static_eval"
},
{
"name": "https://github.com/substack/static-eval/pull/18",
"refsource": "MISC",
"url": "https://github.com/substack/static-eval/pull/18"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-16226",
"datePublished": "2018-06-07T02:00:00Z",
"dateReserved": "2017-10-29T00:00:00",
"dateUpdated": "2024-09-16T16:38:08.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16226 (GCVE-0-2017-16226)
Vulnerability from nvd – Published: 2018-06-07 02:00 – Updated: 2024-09-16 16:38
VLAI?
Summary
The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution.
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation (CWE-20)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HackerOne | static-eval node module node module |
Affected:
<=1.1.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:20:04.929Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/548"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://maustin.net/articles/2017-10/static_eval"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/substack/static-eval/pull/18"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "static-eval node module node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c=1.1.1"
}
]
}
],
"datePublic": "2018-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation (CWE-20)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-07T01:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodesecurity.io/advisories/548"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://maustin.net/articles/2017-10/static_eval"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/substack/static-eval/pull/18"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2017-16226",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "static-eval node module node module",
"version": {
"version_data": [
{
"version_value": "\u003c=1.1.1"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Input Validation (CWE-20)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodesecurity.io/advisories/548",
"refsource": "MISC",
"url": "https://nodesecurity.io/advisories/548"
},
{
"name": "https://maustin.net/articles/2017-10/static_eval",
"refsource": "MISC",
"url": "https://maustin.net/articles/2017-10/static_eval"
},
{
"name": "https://github.com/substack/static-eval/pull/18",
"refsource": "MISC",
"url": "https://github.com/substack/static-eval/pull/18"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-16226",
"datePublished": "2018-06-07T02:00:00Z",
"dateReserved": "2017-10-29T00:00:00",
"dateUpdated": "2024-09-16T16:38:08.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}