CVE-2022-21122

Опубликовано: 08 июн. 2022

Источник: nvd

CVSS3: 9

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor.

Ссылки

https://github.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d2144bd
Patch
Third Party Advisory
https://github.com/metarhia/metacalc/pull/16
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-METACALC-2826197
Exploit
Third Party Advisory
https://github.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d2144bd
Patch
Third Party Advisory
https://github.com/metarhia/metacalc/pull/16
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-METACALC-2826197
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:metarhia:metacalc:*:*:*:*:*:*:*:*

Версия до 0.0.2 (исключая)

EPSS

Процентиль: 75%

0.00872

Низкий

9 Critical

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-94

Связанные уязвимости

GHSA-5gc4-cx9x-9c43

CVSS3: 9

github

больше 3 лет назад

Code Injection in metacalc

EPSS

Процентиль: 75%

0.00872

Низкий

9 Critical

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-94