CVE-2020-28502 - Vulnerability Details - OpenCVE

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.17396.

Key SSVC decision points have not yet been added.

Vendors	Products
Xmlhttprequest Project	Xmlhttprequest

Configuration 1 [-]

cpe:2.3:a:xmlhttprequest_project:xmlhttprequest:*:*:*:*:*:node.js:*:*

No data.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-h4j5-c7cj-74xg	xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480
https://nvd.nist.gov/vuln/detail/CVE-2020-28502
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938
https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935
https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936
https://www.cve.org/CVERecord?id=CVE-2020-28502

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2021-03-05T17:25:16.408867Z

Updated: 2024-09-16T22:55:22.529Z

Reserved: 2020-11-12T00:00:00

Link: CVE-2020-28502

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-03-05T18:15:12.830

Modified: 2024-11-21T05:22:55.420

Link: CVE-2020-28502

Redhat

Severity : Important

Publid Date: 2021-03-05T00:00:00Z

Links: CVE-2020-28502 - Bugzilla

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "xmlhttprequest", "vendor": "n/a", "versions": [{"lessThan": "1.7.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "xmlhttprequest-ssl", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "rinsuki"}], "datePublic": "2021-03-05T00:00:00", "descriptions": [{"lang": "en", "value": "This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 7.3, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Arbitrary Code Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-03-05T17:25:16", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480"}], "title": "Arbitrary Code Injection", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2021-03-05T17:20:04.331575Z", "ID": "CVE-2020-28502", "STATE": "PUBLIC", "TITLE": "Arbitrary Code Injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "xmlhttprequest", "version": {"version_data": [{"version_affected": "<", "version_value": "1.7.0"}]}}]}, "vendor_name": "n/a"}, {"product": {"product_data": [{"product_name": "xmlhttprequest-ssl", "version": {"version_data": [{"version_affected": ">=", "version_value": "0"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "rinsuki"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Arbitrary Code Injection"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935"}, {"name": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937"}, {"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938"}, {"name": "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480", "refsource": "MISC", "url": "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:40:58.637Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-28502", "datePublished": "2021-03-05T17:25:16.408867Z", "dateReserved": "2020-11-12T00:00:00", "dateUpdated": "2024-09-16T22:55:22.529Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xmlhttprequest_project:xmlhttprequest:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F2D26F16-BD5F-4C5C-8140-DEA8B204D412", "versionEndExcluding": "1.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run."}, {"lang": "es", "value": "Esto afecta al paquete xmlhttprequest versiones anteriores a 1.7.0; todas las versiones del paquete xmlhttprequest-ssl. Siempre que las peticiones son enviadas de forma sincr\u00f3nica (async=False en xhr.open), la entrada de un usuario malicioso que fluye hacia xhr.send podr\u00eda resultar en una inyecci\u00f3n y ejecuci\u00f3n de c\u00f3digo arbitraria"}], "id": "CVE-2020-28502", "lastModified": "2024-11-21T05:22:55.420", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-05T18:15:12.830", "references": [{"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "nodejs-xmlhttprequest: Code injection through user input to xhr.send", "id": "1935978", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935978"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.", "An arbitrary code injection vulnerability was found in nodejs-xmlhttprequest. For this vulnerability to occur, the connection must be initialized during the function call XMLHttpRequest.open to send requests synchronously using the parameter `async=False`. If the subsequent calls to xhr.send functions are with user-controllable input, this flaw allows an attacker to execute arbitrary code. If the xhr.send function is called on the server on behalf of a user, this allows execution on the Node.js server using the privileges of the Node.js process. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."], "name": "CVE-2020-28502", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "xmlhttprequest", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "nodejs-xmlhttprequest", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Not affected", "package_name": "nodejs-xmlhttprequest", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-presto", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2021-03-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-28502\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-28502\nhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938\nhttps://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935"], "statement": "While the OpenShift ServiceMesh (OSSM) grafana-container source does have a vulnerable version of the nodejs-xmlhttprequest, it does not bundle or use the library in the released product. Therefore, the container has been marked `not affected`.\nFor the OpenShift Container Platform (OCP), the grafana-container for OCP 4.5 is already using a non-affected version of xmlhttprequest (v1.8.0). Later versions of the container (4.6+) don't include xmlhttprequest.\nFor Red Hat Advanced Cluster Management for Kubernetes (RHACM), the different components using xmlhttprequest is already using a non-affected version (v1.8.0). Therefore, all supported RHACM versions have been marked `not affected`.\nFor Red Hat Ceph Storage (RHCS) 3 and 4 the grafana-container is already using a non-affected version of xmlhttprequest (v1.8.0).", "threat_severity": "Important"}