GHSA-3CRJ-W4F5-GWH4
Vulnerability from github – Published: 2021-01-29 20:51 – Updated: 2021-02-16 17:35Impact
When processing theming resources (i.e. *.less files) with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be executed in the context of the build process.
While this is a feature of the Less.js library, it is an unexpected behavior in the context of OpenUI5 and SAPUI5 development.
Especially in the context of UI5 Tooling, which relies on less-openui5, this poses a security threat:
An attacker might create a library or theme-library containing a custom control or theme, hiding malicious JavaScript code in one of the .less files.
This is an example of inline JavaScript in a Less file:
.rule {
@var: `(function(){console.log('Hello from JavaScript'); process.exit(1);})()`;
color: @var;
}
Starting with Less.js version 3.0.0, the Inline JavaScript feature is disabled by default. less-openui5 however currently uses a fork of Less.js v1.6.3.
Note that disabling the Inline JavaScript feature in Less.js versions 1.x, still evaluates code has additional double codes around it:
.rule {
@var: "`(function(){console.log('Hello from JavaScript'); process.exit(1);})()`";
color: @var;
}
Patches
We decided to remove the inline JavaScript evaluation feature completely from the code of our Less.js fork.
This fix is available in less-openui5 version v0.10.0
Workarounds
Only process trusted theming resources.
For more information
If you have any questions or comments about this advisory: * Open an issue in https://github.com/SAP/less-openui5 * Email us at secure@sap.com
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "less-openui5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21316"
],
"database_specific": {
"cwe_ids": [
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2021-01-29T20:50:46Z",
"nvd_published_at": "2021-02-16T18:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nWhen processing theming resources (i.e. `*.less` files) with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be executed in the context of the build process.\n\nWhile this is a [feature](http://lesscss.org/usage/#less-options-enable-inline-javascript-deprecated-) of the [Less.js library](https://github.com/less/less.js), it is an unexpected behavior in the context of OpenUI5 and SAPUI5 development.\n\nEspecially in the context of [UI5 Tooling](https://github.com/SAP/ui5-tooling), which relies on less-openui5, this poses a security threat:\n\nAn attacker might create a [library](https://sap.github.io/ui5-tooling/pages/Builder/#library) or [theme-library](https://sap.github.io/ui5-tooling/pages/Builder/#theme-library) containing a custom control or theme, hiding malicious JavaScript code in one of the `.less` files.\n\nThis is an example of inline JavaScript in a Less file:\n```less\n.rule {\n\t@var: `(function(){console.log(\u0027Hello from JavaScript\u0027); process.exit(1);})()`;\n\tcolor: @var;\n}\n```\n\nStarting with Less.js version 3.0.0, the Inline JavaScript feature is disabled by default. less-openui5 however currently uses [a fork](https://github.com/SAP/less-openui5/tree/master/lib/thirdparty/less) of Less.js v1.6.3.\n\nNote that disabling the Inline JavaScript feature in Less.js versions 1.x, still evaluates code has additional double codes around it:\n```less\n.rule {\n\t@var: \"`(function(){console.log(\u0027Hello from JavaScript\u0027); process.exit(1);})()`\";\n\tcolor: @var;\n}\n```\n\n### Patches\nWe decided to remove the inline JavaScript evaluation feature completely from the code of our Less.js fork.\n\nThis fix is available in less-openui5 version [v0.10.0](https://github.com/SAP/less-openui5/releases/tag/v0.10.0)\n\n### Workarounds\nOnly process trusted theming resources.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in https://github.com/SAP/less-openui5\n* Email us at secure@sap.com",
"id": "GHSA-3crj-w4f5-gwh4",
"modified": "2021-02-16T17:35:25Z",
"published": "2021-01-29T20:51:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SAP/less-openui5/security/advisories/GHSA-3crj-w4f5-gwh4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21316"
},
{
"type": "WEB",
"url": "https://github.com/SAP/less-openui5/commit/c0d3a8572974a20ea6cee42da11c614a54f100e8"
},
{
"type": "WEB",
"url": "https://github.com/SAP/less-openui5/releases/tag/v0.10.0"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/less-openui5"
},
{
"type": "WEB",
"url": "http://lesscss.org/usage/#less-options-enable-inline-javascript-deprecated-"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Processing untrusted theming resources might execute arbitrary code (ACE)"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.