CVE-2022-25863 - OpenCVE

The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default configurations that are missing input sanitization. Exploiting this vulnerability is possible when passing input in both webpack (MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Workaround: If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Gatsbyjs	Gatsby

Configuration 1 [-]

OR	cpe:2.3:a:gatsbyjs:gatsby::::::node.js::*
	cpe:2.3:a:gatsbyjs:gatsby::::::node.js::*

References

Link	Resource
https://drive.google.com/file/d/1EoCzbwTWOM8-fjvwMbH3bqcZ2iKksxTW/view?usp=sharing	Exploit Third Party Advisory
https://github.com/gatsbyjs/gatsby/pull/35830	Exploit Patch Third Party Advisory
https://github.com/gatsbyjs/gatsby/pull/35830/commits/f214eb0694c61e348b2751cecd1aace2046bc46e	Patch Third Party Advisory
https://snyk.io/vuln/SNYK-JS-GATSBYPLUGINMDX-2405699	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2022-06-10T00:00:00

Updated: 2022-06-10T20:00:19

Reserved: 2022-02-24T00:00:00

Link: CVE-2022-25863

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-06-10T20:15:08.227

Modified: 2022-06-17T18:40:18.720

Link: CVE-2022-25863

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"containers": {"cna": {"affected": [{"product": "gatsby-plugin-mdx", "vendor": "n/a", "versions": [{"lessThan": "2.14.1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "3.0.0", "versionType": "custom"}, {"lessThan": "3.15.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Feng Xiao and Zhongfu Su"}], "datePublic": "2022-06-10T00:00:00", "descriptions": [{"lang": "en", "value": "The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default configurations that are missing input sanitization. Exploiting this vulnerability is possible when passing input in both webpack (MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Workaround: If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 7.7, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Deserialization of Untrusted Data", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-06-10T20:00:19", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-GATSBYPLUGINMDX-2405699"}, {"tags": ["x_refsource_MISC"], "url": "https://drive.google.com/file/d/1EoCzbwTWOM8-fjvwMbH3bqcZ2iKksxTW/view?usp=sharing"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/gatsbyjs/gatsby/pull/35830"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/gatsbyjs/gatsby/pull/35830/commits/f214eb0694c61e348b2751cecd1aace2046bc46e"}], "title": "Deserialization of Untrusted Data", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2022-06-10T20:00:07.103333Z", "ID": "CVE-2022-25863", "STATE": "PUBLIC", "TITLE": "Deserialization of Untrusted Data"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "gatsby-plugin-mdx", "version": {"version_data": [{"version_affected": "<", "version_value": "2.14.1"}, {"version_affected": ">=", "version_value": "3.0.0"}, {"version_affected": "<", "version_value": "3.15.2"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Feng Xiao and Zhongfu Su"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default configurations that are missing input sanitization. Exploiting this vulnerability is possible when passing input in both webpack (MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Workaround: If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-GATSBYPLUGINMDX-2405699", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-GATSBYPLUGINMDX-2405699"}, {"name": "https://drive.google.com/file/d/1EoCzbwTWOM8-fjvwMbH3bqcZ2iKksxTW/view?usp=sharing", "refsource": "MISC", "url": "https://drive.google.com/file/d/1EoCzbwTWOM8-fjvwMbH3bqcZ2iKksxTW/view?usp=sharing"}, {"name": "https://github.com/gatsbyjs/gatsby/pull/35830", "refsource": "MISC", "url": "https://github.com/gatsbyjs/gatsby/pull/35830"}, {"name": "https://github.com/gatsbyjs/gatsby/pull/35830/commits/f214eb0694c61e348b2751cecd1aace2046bc46e", "refsource": "MISC", "url": "https://github.com/gatsbyjs/gatsby/pull/35830/commits/f214eb0694c61e348b2751cecd1aace2046bc46e"}]}}}}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2022-25863", "datePublished": "2022-06-10T00:00:00", "dateReserved": "2022-02-24T00:00:00", "dateUpdated": "2022-06-10T20:00:19", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gatsbyjs:gatsby:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "99A9A537-8856-4B7E-A166-3A3D22893854", "versionEndExcluding": "2.14.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:gatsbyjs:gatsby:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "87A183A9-82D6-47A9-937D-5A16291CF859", "versionEndExcluding": "3.15.2", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default configurations that are missing input sanitization. Exploiting this vulnerability is possible when passing input in both webpack (MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Workaround: If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing."}, {"lang": "es", "value": "El paquete gatsby-plugin-mdx versiones anteriores a 2.14.1, a partir de la 3.0.0 y anteriores a 3.15.2, es vulnerable a una Deserializaci\u00f3n de Datos No Confiables cuando es pasada la entrada mediante el paquete gray-matter, debido a sus configuraciones por defecto que carecen de saneo de entrada. La explotaci\u00f3n de esta vulnerabilidad es posible cuando es pasada la entrada tanto en modo webpack (archivos MDX en src/pages o archivo MDX importado como componente en c\u00f3digo frontend / React) como en modo datos (consulta de nodos MDX por medio de GraphQL). Mitigaci\u00f3n: Si es debido usar una versi\u00f3n anterior de gatsby-plugin-mdx, la entrada que es pasada al plugin debe ser saneada antes del procesamiento"}], "id": "CVE-2022-25863", "lastModified": "2022-06-17T18:40:18.720", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2022-06-10T20:15:08.227", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://drive.google.com/file/d/1EoCzbwTWOM8-fjvwMbH3bqcZ2iKksxTW/view?usp=sharing"}, {"source": "report@snyk.io", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/gatsbyjs/gatsby/pull/35830"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/gatsbyjs/gatsby/pull/35830/commits/f214eb0694c61e348b2751cecd1aace2046bc46e"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-GATSBYPLUGINMDX-2405699"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}