CVE-2020-5219

Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution.

CVSS v3 8.7 HIGH
CVSS v2.0 6.8 MEDIUM

8.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html	Vendor Advisory
https://github.com/peerigon/angular-expressions/commit/061addfb9a9e932a970e5fcb913d020038e65667	Patch
https://github.com/peerigon/angular-expressions/security/advisories/GHSA-hxhm-96pp-2m43	Mitigation Third Party Advisory
http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html	Vendor Advisory
https://github.com/peerigon/angular-expressions/commit/061addfb9a9e932a970e5fcb913d020038e65667	Patch
https://github.com/peerigon/angular-expressions/security/advisories/GHSA-hxhm-96pp-2m43	Mitigation Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:peerigon:angular-expressions:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2020-01-24 16:15

Updated : 2024-11-21 05:33

NVD link : CVE-2020-5219

Mitre link : CVE-2020-5219

CVE.ORG link : CVE-2020-5219

JSON object : View

Products Affected

peerigon

angular-expressions

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2020-5219", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2020-01-24T16:15:11.473", "references": [{"url": "http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/peerigon/angular-expressions/commit/061addfb9a9e932a970e5fcb913d020038e65667", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/peerigon/angular-expressions/security/advisories/GHSA-hxhm-96pp-2m43", "tags": ["Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/peerigon/angular-expressions/commit/061addfb9a9e932a970e5fcb913d020038e65667", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/peerigon/angular-expressions/security/advisories/GHSA-hxhm-96pp-2m43", "tags": ["Mitigation", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-74"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution."}, {"lang": "es", "value": "Angular Expressions versiones anteriores a 1.0.1, presenta una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo remota si llama a expressions.compile(userControlledInput) donde userControlledInput es texto que proviene desde la entrada del usuario. Si ejecuta expresiones angulares en el navegador, un atacante podr\u00eda ejecutar cualquier script del navegador cuando el c\u00f3digo de la aplicaci\u00f3n llame a expressions.compile(userControlledInput). Si ejecuta expresiones angulares en el servidor, un atacante podr\u00eda ejecutar cualquier expresi\u00f3n Javascript, consiguiendo as\u00ed una Ejecuci\u00f3n Remota de C\u00f3digo."}], "lastModified": "2024-11-21T05:33:42.230", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:peerigon:angular-expressions:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A716A363-A9FF-4911-8037-F3B4F7924380", "versionEndExcluding": "1.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}