Search
Find a vulnerability
Search criteria
2 vulnerabilities by metarhia
CVE-2022-21122 (GCVE-0-2022-21122)
Vulnerability from nvd – Published: 2022-06-03 20:05 – Updated: 2024-09-16 19:56
VLAI
Title
Arbitrary Code Execution
Summary
The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor.
Severity
9 (Critical)
CWE
- Arbitrary Code Execution
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-METACALC-2826197 | x_refsource_MISC |
| https://github.com/metarhia/metacalc/pull/16 | x_refsource_MISC |
| https://github.com/metarhia/metacalc/commit/625c2… | x_refsource_MISC |
Impacted products
Date Public
2022-06-03 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:31:58.633Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-METACALC-2826197"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metarhia/metacalc/pull/16"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d2144bd"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "metacalc",
"vendor": "n/a",
"versions": [
{
"lessThan": "0.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vladyslav Dukhin"
}
],
"datePublic": "2022-06-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript\u0027s Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript\u0027s Function constructor."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 8.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Arbitrary Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-03T20:05:12.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-METACALC-2826197"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metarhia/metacalc/pull/16"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d2144bd"
}
],
"title": "Arbitrary Code Execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2022-06-03T20:00:06.343033Z",
"ID": "CVE-2022-21122",
"STATE": "PUBLIC",
"TITLE": "Arbitrary Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "metacalc",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.0.2"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vladyslav Dukhin"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript\u0027s Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript\u0027s Function constructor."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Arbitrary Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-METACALC-2826197",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-METACALC-2826197"
},
{
"name": "https://github.com/metarhia/metacalc/pull/16",
"refsource": "MISC",
"url": "https://github.com/metarhia/metacalc/pull/16"
},
{
"name": "https://github.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d2144bd",
"refsource": "MISC",
"url": "https://github.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d2144bd"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-21122",
"datePublished": "2022-06-03T20:05:12.139Z",
"dateReserved": "2022-02-24T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:56:29.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-21122 (GCVE-0-2022-21122)
Vulnerability from cvelistv5 – Published: 2022-06-03 20:05 – Updated: 2024-09-16 19:56
VLAI
Title
Arbitrary Code Execution
Summary
The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor.
Severity
9 (Critical)
CWE
- Arbitrary Code Execution
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-METACALC-2826197 | x_refsource_MISC |
| https://github.com/metarhia/metacalc/pull/16 | x_refsource_MISC |
| https://github.com/metarhia/metacalc/commit/625c2… | x_refsource_MISC |
Impacted products
Date Public
2022-06-03 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:31:58.633Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-METACALC-2826197"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metarhia/metacalc/pull/16"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d2144bd"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "metacalc",
"vendor": "n/a",
"versions": [
{
"lessThan": "0.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vladyslav Dukhin"
}
],
"datePublic": "2022-06-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript\u0027s Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript\u0027s Function constructor."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "CHANGED",
"temporalScore": 8.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Arbitrary Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-03T20:05:12.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-METACALC-2826197"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metarhia/metacalc/pull/16"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d2144bd"
}
],
"title": "Arbitrary Code Execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2022-06-03T20:00:06.343033Z",
"ID": "CVE-2022-21122",
"STATE": "PUBLIC",
"TITLE": "Arbitrary Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "metacalc",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.0.2"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vladyslav Dukhin"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript\u0027s Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript\u0027s Function constructor."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Arbitrary Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-METACALC-2826197",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-METACALC-2826197"
},
{
"name": "https://github.com/metarhia/metacalc/pull/16",
"refsource": "MISC",
"url": "https://github.com/metarhia/metacalc/pull/16"
},
{
"name": "https://github.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d2144bd",
"refsource": "MISC",
"url": "https://github.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d2144bd"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-21122",
"datePublished": "2022-06-03T20:05:12.139Z",
"dateReserved": "2022-02-24T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:56:29.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}