GHSA-27WQ-QX3Q-FXM9

Vulnerability from github – Published: 2021-08-23 19:42 – Updated: 2021-10-21 14:15
VLAI?
Summary
Improper Handling of Unexpected Data Type in ced
Details

Impact

In ced v0.1.0, passing data types other than Buffer causes the Node.js process to crash.

Patches

The problem has been patched in ced v1.0.0. You can upgrade from v0.1.0 without any breaking changes.

Workarounds

Before passing an argument to ced, verify it’s a Buffer using Buffer.isBuffer(obj).

CVSS score

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C

Base Score: 7.5 (High) Temporal Score: 7.2 (High)

Since ced is a library, the scoring is based on the “reasonable worst-case implementation scenario”, namely, accepting data from untrusted sources over a network and passing it directly to ced. Depending on your specific implementation, the vulnerability’s severity in your program may be different.

Proof of concept

const express = require("express");
const bodyParser = require("body-parser");
const ced = require("ced");

const app = express();

app.use(bodyParser.raw());

app.post("/", (req, res) => {
  const encoding = ced(req.body);

  res.end(encoding);
});

app.listen(3000);

curl --request POST --header "Content-Type: text/plain" --data foo http://localhost:3000 crashes the server.

References

  • https://github.com/sonicdoe/ced/commit/a4d9f10b6bf1cd468d1a5b9a283cdf437f8bb7b3
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ced"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39131"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-241"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-23T17:18:32Z",
    "nvd_published_at": "2021-08-17T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nIn ced v0.1.0, passing data types other than `Buffer` causes the Node.js process to crash.\n\n### Patches\n\nThe problem has been patched in [ced v1.0.0](https://github.com/sonicdoe/ced/releases/tag/v1.0.0). You can upgrade from v0.1.0 without any breaking changes.\n\n### Workarounds\n\nBefore passing an argument to ced, verify it\u2019s a `Buffer` using [`Buffer.isBuffer(obj)`](https://nodejs.org/api/buffer.html#buffer_static_method_buffer_isbuffer_obj).\n\n### CVSS score\n\n[CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O/RC:C)\n\nBase Score: 7.5 (High)\nTemporal Score: 7.2 (High)\n\nSince ced is a library, the scoring is based on the \u201c[reasonable worst-case implementation scenario](https://www.first.org/cvss/v3.1/user-guide#3-7-Scoring-Vulnerabilities-in-Software-Libraries-and-Similar)\u201d, namely, accepting data from untrusted sources over a network and passing it directly to ced. Depending on your specific implementation, the vulnerability\u2019s severity in your program may be different.\n\n### Proof of concept\n\n```js\nconst express = require(\"express\");\nconst bodyParser = require(\"body-parser\");\nconst ced = require(\"ced\");\n\nconst app = express();\n\napp.use(bodyParser.raw());\n\napp.post(\"/\", (req, res) =\u003e {\n  const encoding = ced(req.body);\n\n  res.end(encoding);\n});\n\napp.listen(3000);\n```\n\n`curl --request POST --header \"Content-Type: text/plain\" --data foo http://localhost:3000` crashes the server.\n\n### References\n\n- https://github.com/sonicdoe/ced/commit/a4d9f10b6bf1cd468d1a5b9a283cdf437f8bb7b3",
  "id": "GHSA-27wq-qx3q-fxm9",
  "modified": "2021-10-21T14:15:51Z",
  "published": "2021-08-23T19:42:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sonicdoe/ced/security/advisories/GHSA-27wq-qx3q-fxm9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39131"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sonicdoe/ced/commit/a4d9f10b6bf1cd468d1a5b9a283cdf437f8bb7b3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sonicdoe/ced"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sonicdoe/ced/releases/tag/v1.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Handling of Unexpected Data Type in ced"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.