CVE-2021-23784 - OpenCVE

This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Tempura Project	Tempura

Configuration 1 [-]

cpe:2.3:a:tempura_project:tempura:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/lukeed/tempura/commit/58a5c3671e2f36b26810e77ead9e0dd471902f9b	Patch Third Party Advisory
https://github.com/lukeed/tempura/releases/tag/v0.4.0	Release Notes Third Party Advisory
https://snyk.io/vuln/SNYK-JS-TEMPURA-1569633	Exploit Mitigation Patch Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2021-11-03T00:00:00

Updated: 2021-11-03T17:20:42

Reserved: 2021-01-08T00:00:00

Link: CVE-2021-23784

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-11-03T18:15:08.180

Modified: 2021-11-05T18:11:35.357

Link: CVE-2021-23784

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "tempura", "vendor": "n/a", "versions": [{"lessThan": "0.4.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Alessio Della Libera of Snyk Research Team"}], "datePublic": "2021-11-03T00:00:00", "descriptions": [{"lang": "en", "value": "This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "LOW", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 5.1, "temporalSeverity": "MEDIUM", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Cross-site Scripting (XSS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-11-03T17:20:42", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-TEMPURA-1569633"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/lukeed/tempura/commit/58a5c3671e2f36b26810e77ead9e0dd471902f9b"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/lukeed/tempura/releases/tag/v0.4.0"}], "title": "Cross-site Scripting (XSS)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2021-11-03T17:16:43.033351Z", "ID": "CVE-2021-23784", "STATE": "PUBLIC", "TITLE": "Cross-site Scripting (XSS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "tempura", "version": {"version_data": [{"version_affected": "<", "version_value": "0.4.0"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Alessio Della Libera of Snyk Research Team"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-TEMPURA-1569633", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-TEMPURA-1569633"}, {"name": "https://github.com/lukeed/tempura/commit/58a5c3671e2f36b26810e77ead9e0dd471902f9b", "refsource": "MISC", "url": "https://github.com/lukeed/tempura/commit/58a5c3671e2f36b26810e77ead9e0dd471902f9b"}, {"name": "https://github.com/lukeed/tempura/releases/tag/v0.4.0", "refsource": "MISC", "url": "https://github.com/lukeed/tempura/releases/tag/v0.4.0"}]}}}}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2021-23784", "datePublished": "2021-11-03T00:00:00", "dateReserved": "2021-01-08T00:00:00", "dateUpdated": "2021-11-03T17:20:42", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tempura_project:tempura:*:*:*:*:*:*:*:*", "matchCriteriaId": "ACE9E824-B3FD-4D3C-B5B7-817110F088C2", "versionEndExcluding": "0.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability."}, {"lang": "es", "value": "Esto afecta al paquete tempura versiones anteriores a 0.4.0. Si la entrada a la funci\u00f3n esc es de tipo objeto (es decir, una matriz) se devuelve sin ser escapada/saneada, conllevando una potencial vulnerabilidad de tipo Cross-Site Scripting"}], "id": "CVE-2021-23784", "lastModified": "2021-11-05T18:11:35.357", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2021-11-03T18:15:08.180", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/lukeed/tempura/commit/58a5c3671e2f36b26810e77ead9e0dd471902f9b"}, {"source": "report@snyk.io", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/lukeed/tempura/releases/tag/v0.4.0"}, {"source": "report@snyk.io", "tags": ["Exploit", "Mitigation", "Patch", "Third Party Advisory", "VDB Entry"], "url": "https://snyk.io/vuln/SNYK-JS-TEMPURA-1569633"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}