GHSA-4JG2-84C2-PJ95

Vulnerability from github – Published: 2021-09-21 18:41 – Updated: 2023-01-26 21:57
VLAI?
Summary
Improper Control of Generation of Code ('Code Injection') in @asyncapi/modelina
Details

Impact

Anyone who is using the default presets and/or does not handle the functionality themself.

Patches

It is impossible to fully guard against this, because users have access to the original raw information. However, as of version 1, if you only access the constrained models, you will not encounter this issue.

Further similar situations are NOT seen as a security issue, but intended behavior.

Workarounds

Fully custom presets that change the entire rendering process which can then escape the user input.

For more information

Even though that I changed all the presets here, the vulnerability is still present throughout. I am using a JSON Schema here for simplicity.

const jsonSchemaDoc = {
  $id: 'CustomClass',
  type: 'object',
  properties: {
      'property: any; \n constructor(){console.log("injected")} \n private _temp': { type: 'string' },
  }
};
generator = new TypeScriptGenerator(
  { 
    presets: [
      {
        class: {
            property({ propertyName, content }) {
              return `private ${propertyName}: any;`;
            },
            ctor() {
              return '';
            },
            getter() {
              return '';
            },
            setter() {
              return '';
            }
        }
      }
    ]
  }
);
const inputModel = await generator.process(jsonSchemaDoc);

This would render

export class CustomClass {
  private property: any; 
   constructor(){console.log("injected")} 
   private _temp: any;
  private additionalProperties: any;
}
Severity ?
9.9 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard Create KEV Entry 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@asyncapi/modelina"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-23619"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-21T16:14:04Z",
    "nvd_published_at": "2023-01-26T21:18:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nAnyone who is using the default presets and/or does not handle the functionality themself.\n\n### Patches\nIt is impossible to fully guard against this, because users have access to the original raw information. However, as of version 1, if you only access the constrained models, you will not encounter this issue.\n\nFurther similar situations are NOT seen as a security issue, but intended behavior.\n\n### Workarounds\nFully custom presets that change the entire rendering process which can then escape the user input.\n\n### For more information\nEven though that I changed all the presets here, the vulnerability is still present throughout. I am using a JSON Schema here for simplicity.\n```ts\nconst jsonSchemaDoc = {\n  $id: \u0027CustomClass\u0027,\n  type: \u0027object\u0027,\n  properties: {\n      \u0027property: any; \\n constructor(){console.log(\"injected\")} \\n private _temp\u0027: { type: \u0027string\u0027 },\n  }\n};\ngenerator = new TypeScriptGenerator(\n  { \n    presets: [\n      {\n        class: {\n            property({ propertyName, content }) {\n              return `private ${propertyName}: any;`;\n            },\n            ctor() {\n              return \u0027\u0027;\n            },\n            getter() {\n              return \u0027\u0027;\n            },\n            setter() {\n              return \u0027\u0027;\n            }\n        }\n      }\n    ]\n  }\n);\nconst inputModel = await generator.process(jsonSchemaDoc);\n```\nThis would render\n```ts\nexport class CustomClass {\n  private property: any; \n   constructor(){console.log(\"injected\")} \n   private _temp: any;\n  private additionalProperties: any;\n}\n```",
  "id": "GHSA-4jg2-84c2-pj95",
  "modified": "2023-01-26T21:57:36Z",
  "published": "2021-09-21T18:41:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/asyncapi/modelina/security/advisories/GHSA-4jg2-84c2-pj95"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23619"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/asyncapi/modelina"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Control of Generation of Code (\u0027Code Injection\u0027) in @asyncapi/modelina"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.