CVE-2020-5219 - OpenCVE

Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Peerigon	Angular-expressions

Configuration 1 [-]

cpe:2.3:a:peerigon:angular-expressions:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html
https://github.com/peerigon/angular-expressions/commit/061addfb9a9e932a970e5fcb913d020038e65667
https://github.com/peerigon/angular-expressions/security/advisories/GHSA-hxhm-96pp-2m43

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-01-24T15:25:14

Updated: 2024-08-04T08:22:08.893Z

Reserved: 2020-01-02T00:00:00

Link: CVE-2020-5219

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-01-24T16:15:11.473

Modified: 2020-01-31T20:50:01.120

Link: CVE-2020-5219

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "angular-expressions", "vendor": "peerigon", "versions": [{"status": "affected", "version": "< 1.0.1"}]}], "credits": [{"lang": "en", "value": "reported by GoSecure Inc"}], "descriptions": [{"lang": "en", "value": "Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-01-24T15:25:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/peerigon/angular-expressions/security/advisories/GHSA-hxhm-96pp-2m43"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/peerigon/angular-expressions/commit/061addfb9a9e932a970e5fcb913d020038e65667"}, {"tags": ["x_refsource_MISC"], "url": "http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html"}], "source": {"advisory": "GHSA-hxhm-96pp-2m43", "discovery": "UNKNOWN"}, "title": "Remote Code Execution in Angular Expressions", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5219", "STATE": "PUBLIC", "TITLE": "Remote Code Execution in Angular Expressions"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "angular-expressions", "version": {"version_data": [{"version_value": "< 1.0.1"}]}}]}, "vendor_name": "peerigon"}]}}, "credit": [{"lang": "eng", "value": "reported by GoSecure Inc"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/peerigon/angular-expressions/security/advisories/GHSA-hxhm-96pp-2m43", "refsource": "CONFIRM", "url": "https://github.com/peerigon/angular-expressions/security/advisories/GHSA-hxhm-96pp-2m43"}, {"name": "https://github.com/peerigon/angular-expressions/commit/061addfb9a9e932a970e5fcb913d020038e65667", "refsource": "MISC", "url": "https://github.com/peerigon/angular-expressions/commit/061addfb9a9e932a970e5fcb913d020038e65667"}, {"name": "http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html", "refsource": "MISC", "url": "http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html"}]}, "source": {"advisory": "GHSA-hxhm-96pp-2m43", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:08.893Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/peerigon/angular-expressions/security/advisories/GHSA-hxhm-96pp-2m43"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/peerigon/angular-expressions/commit/061addfb9a9e932a970e5fcb913d020038e65667"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5219", "datePublished": "2020-01-24T15:25:14", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2024-08-04T08:22:08.893Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:peerigon:angular-expressions:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A716A363-A9FF-4911-8037-F3B4F7924380", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution."}, {"lang": "es", "value": "Angular Expressions versiones anteriores a 1.0.1, presenta una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo remota si llama a expressions.compile(userControlledInput) donde userControlledInput es texto que proviene desde la entrada del usuario. Si ejecuta expresiones angulares en el navegador, un atacante podr\u00eda ejecutar cualquier script del navegador cuando el c\u00f3digo de la aplicaci\u00f3n llame a expressions.compile(userControlledInput). Si ejecuta expresiones angulares en el servidor, un atacante podr\u00eda ejecutar cualquier expresi\u00f3n Javascript, consiguiendo as\u00ed una Ejecuci\u00f3n Remota de C\u00f3digo."}], "id": "CVE-2020-5219", "lastModified": "2020-01-31T20:50:01.120", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-01-24T16:15:11.473", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/peerigon/angular-expressions/commit/061addfb9a9e932a970e5fcb913d020038e65667"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/peerigon/angular-expressions/security/advisories/GHSA-hxhm-96pp-2m43"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Secondary"}]}