logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-21316 less-openui5

Package

Manager: npm
Name: less-openui5
Vulnerable Version: >=0 <0.10.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

EPSS: 0.00301 pctl0.52852

Details

Processing untrusted theming resources might execute arbitrary code (ACE) ### Impact When processing theming resources (i.e. `*.less` files) with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be executed in the context of the build process. While this is a [feature](http://lesscss.org/usage/#less-options-enable-inline-javascript-deprecated-) of the [Less.js library](https://github.com/less/less.js), it is an unexpected behavior in the context of OpenUI5 and SAPUI5 development. Especially in the context of [UI5 Tooling](https://github.com/SAP/ui5-tooling), which relies on less-openui5, this poses a security threat: An attacker might create a [library](https://sap.github.io/ui5-tooling/pages/Builder/#library) or [theme-library](https://sap.github.io/ui5-tooling/pages/Builder/#theme-library) containing a custom control or theme, hiding malicious JavaScript code in one of the `.less` files. This is an example of inline JavaScript in a Less file: ```less .rule { @var: `(function(){console.log('Hello from JavaScript'); process.exit(1);})()`; color: @var; } ``` Starting with Less.js version 3.0.0, the Inline JavaScript feature is disabled by default. less-openui5 however currently uses [a fork](https://github.com/SAP/less-openui5/tree/master/lib/thirdparty/less) of Less.js v1.6.3. Note that disabling the Inline JavaScript feature in Less.js versions 1.x, still evaluates code has additional double codes around it: ```less .rule { @var: "`(function(){console.log('Hello from JavaScript'); process.exit(1);})()`"; color: @var; } ``` ### Patches We decided to remove the inline JavaScript evaluation feature completely from the code of our Less.js fork. This fix is available in less-openui5 version [v0.10.0](https://github.com/SAP/less-openui5/releases/tag/v0.10.0) ### Workarounds Only process trusted theming resources. ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/SAP/less-openui5 * Email us at secure@sap.com

Metadata

Created: 2021-01-29T20:51:37Z
Modified: 2021-02-16T17:35:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-3crj-w4f5-gwh4/GHSA-3crj-w4f5-gwh4.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-3crj-w4f5-gwh4
Finding: F184
Auto approve: 1