CVE-2021-4229 - OpenCVE

A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended to upgrade the affected component.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:H/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Ua-parser-js Project	Ua-parser-js

Configuration 1 [-]

OR	cpe:2.3:a:ua-parser-js_project:ua-parser-js:0.7.29:::::node.js::
	cpe:2.3:a:ua-parser-js_project:ua-parser-js:0.8.0:::::node.js::
	cpe:2.3:a:ua-parser-js_project:ua-parser-js:1.0.0:::::node.js::

References

Link	Resource
https://github.com/advisories/GHSA-pjwm-rvh2-c87w	Third Party Advisory
https://github.com/faisalman/ua-parser-js/issues/536	Issue Tracking Patch Third Party Advisory
https://vuldb.com/?id.185453	Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: VulDB

Published: 2022-05-24T15:30:35

Updated: 2022-05-24T15:30:35

Reserved: 2022-05-24T00:00:00

Link: CVE-2021-4229

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-05-24T16:15:07.680

Modified: 2022-06-06T14:23:42.200

Link: CVE-2021-4229

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "ua-parser-js", "vendor": "unspecified", "versions": [{"status": "affected", "version": "0.7.29"}, {"status": "affected", "version": "0.8.0"}, {"status": "affected", "version": "1.0.0"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended to upgrade the affected component."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-912", "description": "CWE-912 Backdoor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-24T15:30:35", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/advisories/GHSA-pjwm-rvh2-c87w"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/faisalman/ua-parser-js/issues/536"}, {"tags": ["x_refsource_MISC"], "url": "https://vuldb.com/?id.185453"}], "title": "ua-parser-js Crypto Mining backdoor", "x_generator": "vuldb.com", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@vuldb.com", "ID": "CVE-2021-4229", "REQUESTER": "cna@vuldb.com", "STATE": "PUBLIC", "TITLE": "ua-parser-js Crypto Mining backdoor"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ua-parser-js", "version": {"version_data": [{"version_value": "0.7.29"}, {"version_value": "0.8.0"}, {"version_value": "1.0.0"}]}}]}, "vendor_name": ""}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended to upgrade the affected component."}]}, "generator": "vuldb.com", "impact": {"cvss": {"baseScore": "5.0", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-912 Backdoor"}]}]}, "references": {"reference_data": [{"name": "https://github.com/advisories/GHSA-pjwm-rvh2-c87w", "refsource": "MISC", "url": "https://github.com/advisories/GHSA-pjwm-rvh2-c87w"}, {"name": "https://github.com/faisalman/ua-parser-js/issues/536", "refsource": "MISC", "url": "https://github.com/faisalman/ua-parser-js/issues/536"}, {"name": "https://vuldb.com/?id.185453", "refsource": "MISC", "url": "https://vuldb.com/?id.185453"}]}}}}, "cveMetadata": {"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2021-4229", "datePublished": "2022-05-24T15:30:35", "dateReserved": "2022-05-24T00:00:00", "dateUpdated": "2022-05-24T15:30:35", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ua-parser-js_project:ua-parser-js:0.7.29:*:*:*:*:node.js:*:*", "matchCriteriaId": "381C07EB-1848-4B09-B7AA-F069D666973D", "vulnerable": true}, {"criteria": "cpe:2.3:a:ua-parser-js_project:ua-parser-js:0.8.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "207BD461-40FD-46B2-BB75-5580E56AA6D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:ua-parser-js_project:ua-parser-js:1.0.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "03BA6112-C319-430C-9045-938EC96DA38A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended to upgrade the affected component."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en ua-parser-js versiones 0.7.29/0.8.0/1.0.0. Ha sido calificada como cr\u00edtica. Este problema afecta al componente de miner\u00eda de criptomonedas que introduce una puerta trasera. La actualizaci\u00f3n a versiones 0.7.30, 0.8.1 y 1.0.1 puede abordar este problema. Es recomendado actualizar el componente afectado"}], "id": "CVE-2021-4229", "lastModified": "2022-06-06T14:23:42.200", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.6, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2022-05-24T16:15:07.680", "references": [{"source": "cna@vuldb.com", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-pjwm-rvh2-c87w"}, {"source": "cna@vuldb.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/faisalman/ua-parser-js/issues/536"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.185453"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-912"}], "source": "cna@vuldb.com", "type": "Secondary"}]}