CVE-2021-21278 - OpenCVE

RSSHub is an open source, easy to use, and extensible RSS feed generator. In RSSHub before version 7f1c430 (non-semantic versioning) there is a risk of code injection. Some routes use `eval` or `Function constructor`, which may be injected by the target site with unsafe code, causing server-side security issues The fix in version 7f1c430 is to temporarily remove the problematic route and added a `no-new-func` rule to eslint.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Rsshub	Rsshub

Configuration 1 [-]

cpe:2.3:a:rsshub:rsshub:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/DIYgod/RSSHub/commit/7f1c43094e8a82e4d8f036ff7d42568fed00699d
https://github.com/DIYgod/RSSHub/security/advisories/GHSA-pgjj-866w-fc5c
https://www.npmjs.com/package/rsshub

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-01-26T20:25:15

Updated: 2024-08-03T18:09:15.121Z

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21278

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-01-26T21:15:12.673

Modified: 2021-02-04T16:25:05.777

Link: CVE-2021-21278

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "RSSHub", "vendor": "DIYgod", "versions": [{"status": "affected", "version": "< 7f1c430"}]}], "descriptions": [{"lang": "en", "value": "RSSHub is an open source, easy to use, and extensible RSS feed generator. In RSSHub before version 7f1c430 (non-semantic versioning) there is a risk of code injection. Some routes use `eval` or `Function constructor`, which may be injected by the target site with unsafe code, causing server-side security issues The fix in version 7f1c430 is to temporarily remove the problematic route and added a `no-new-func` rule to eslint."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-26T20:25:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-pgjj-866w-fc5c"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/DIYgod/RSSHub/commit/7f1c43094e8a82e4d8f036ff7d42568fed00699d"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/rsshub"}], "source": {"advisory": "GHSA-pgjj-866w-fc5c", "discovery": "UNKNOWN"}, "title": "Risk of code injection in RSSHub", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21278", "STATE": "PUBLIC", "TITLE": "Risk of code injection in RSSHub"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "RSSHub", "version": {"version_data": [{"version_value": "< 7f1c430"}]}}]}, "vendor_name": "DIYgod"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "RSSHub is an open source, easy to use, and extensible RSS feed generator. In RSSHub before version 7f1c430 (non-semantic versioning) there is a risk of code injection. Some routes use `eval` or `Function constructor`, which may be injected by the target site with unsafe code, causing server-side security issues The fix in version 7f1c430 is to temporarily remove the problematic route and added a `no-new-func` rule to eslint."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-pgjj-866w-fc5c", "refsource": "CONFIRM", "url": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-pgjj-866w-fc5c"}, {"name": "https://github.com/DIYgod/RSSHub/commit/7f1c43094e8a82e4d8f036ff7d42568fed00699d", "refsource": "MISC", "url": "https://github.com/DIYgod/RSSHub/commit/7f1c43094e8a82e4d8f036ff7d42568fed00699d"}, {"name": "https://www.npmjs.com/package/rsshub", "refsource": "MISC", "url": "https://www.npmjs.com/package/rsshub"}]}, "source": {"advisory": "GHSA-pgjj-866w-fc5c", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.121Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-pgjj-866w-fc5c"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DIYgod/RSSHub/commit/7f1c43094e8a82e4d8f036ff7d42568fed00699d"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/rsshub"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21278", "datePublished": "2021-01-26T20:25:15", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.121Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rsshub:rsshub:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "96307B03-5B1C-4DDC-8E20-E299DE0697A3", "versionEndExcluding": "2021-01-25", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RSSHub is an open source, easy to use, and extensible RSS feed generator. In RSSHub before version 7f1c430 (non-semantic versioning) there is a risk of code injection. Some routes use `eval` or `Function constructor`, which may be injected by the target site with unsafe code, causing server-side security issues The fix in version 7f1c430 is to temporarily remove the problematic route and added a `no-new-func` rule to eslint."}, {"lang": "es", "value": "RSSHub es un generador de fuentes RSS extensible, f\u00e1cil de usar y de c\u00f3digo abierto. En RSSHub versiones anteriores a 7f1c430 (versionado no sem\u00e1ntico) se presenta el riesgo de inyecci\u00f3n de c\u00f3digo. Algunas rutas usan \"eval\" o \"Function constructor\", que pueden ser inyectadas por el sitio objetivo con c\u00f3digo no seguro, causando problemas de seguridad en el lado del servidor. La correcci\u00f3n en la versi\u00f3n 7f1c430 es eliminar temporalmente la ruta problem\u00e1tica y agregar una regla \"no-new-func\" para eslint"}], "id": "CVE-2021-21278", "lastModified": "2021-02-04T16:25:05.777", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-01-26T21:15:12.673", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/DIYgod/RSSHub/commit/7f1c43094e8a82e4d8f036ff7d42568fed00699d"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-pgjj-866w-fc5c"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://www.npmjs.com/package/rsshub"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Primary"}]}