CVE-2021-21412 – @thi.ng/egf

Package

Manager: npm
Name: @thi.ng/egf
Vulnerable Version: >=0 <0.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01082 pctl0.77022

Details

[thi.ng/egf] Potential arbitrary code execution of `#gpg`-tagged property values ### Impact Potential for arbitrary code execution in `#gpg`-tagged property values (only if `decrypt: true` option is enabled) ### Patches [A fix](https://github.com/thi-ng/umbrella/commit/3e14765d6bfd8006742c9e7860bc7d58ae94dfa5) has already been released as v0.4.0 ### Workarounds By default, EGF parse functions do NOT attempt to decrypt values (since GPG is only available in non-browser env). However, if GPG encrypted values are used/required: 1. Perform a regex search for `#gpg`-tagged values in the EGF source file/string and check for backtick (\`) chars in the encrypted value string 2. Replace/remove them or skip parsing if present... ### References https://github.com/thi-ng/umbrella/security/advisories/GHSA-rj44-gpjc-29r7#advisory-comment-65261 ### For more information If you have any questions or comments about this advisory, please open an issue in the [thi.ng/umbrella repo](https://github.com/thi-ng/umbrella/issues), of which this package is part of.

Metadata

Created: 2021-04-06T17:22:41Z
Modified: 2021-03-30T20:20:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-rj44-gpjc-29r7/GHSA-rj44-gpjc-29r7.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-rj44-gpjc-29r7
Finding: F004
Auto approve: 1