OpenCVE

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Postcss	Postcss

Configuration 1 [-]

cpe:2.3:a:postcss:postcss:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/github/advisory-database/issues/2820
https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25
https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5
https://github.com/postcss/postcss/releases/tag/8.4.31

History

Mon, 23 Sep 2024 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-09-29T00:00:00

Updated: 2024-09-23T16:38:49.069Z

Reserved: 2023-09-28T00:00:00

Link: CVE-2023-44270

Vulnrichment

Updated: 2024-08-02T19:59:51.937Z

NVD

Status : Modified

Published: 2023-09-29T22:15:11.867

Modified: 2024-11-21T08:25:33.443

Link: CVE-2023-44270

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-44270", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-09-23T16:38:49.069Z", "dateReserved": "2023-09-28T00:00:00", "datePublished": "2023-09-29T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-10-10T12:48:52.698160"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25"}, {"url": "https://github.com/postcss/postcss/releases/tag/8.4.31"}, {"url": "https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5"}, {"url": "https://github.com/github/advisory-database/issues/2820"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:59:51.937Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25", "tags": ["x_transferred"]}, {"url": "https://github.com/postcss/postcss/releases/tag/8.4.31", "tags": ["x_transferred"]}, {"url": "https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5", "tags": ["x_transferred"]}, {"url": "https://github.com/github/advisory-database/issues/2820", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-23T16:38:23.948037Z", "id": "CVE-2023-44270", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T16:38:49.069Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25", "tags": ["x_transferred"]}, {"url": "https://github.com/postcss/postcss/releases/tag/8.4.31", "tags": ["x_transferred"]}, {"url": "https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5", "tags": ["x_transferred"]}, {"url": "https://github.com/github/advisory-database/issues/2820", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:59:51.937Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-44270", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-23T16:38:23.948037Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T16:38:38.654Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25"}, {"url": "https://github.com/postcss/postcss/releases/tag/8.4.31"}, {"url": "https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5"}, {"url": "https://github.com/github/advisory-database/issues/2820"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-10-10T12:48:52.698160"}}}, "cveMetadata": {"cveId": "CVE-2023-44270", "state": "PUBLISHED", "dateUpdated": "2024-09-23T16:38:49.069Z", "dateReserved": "2023-09-28T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-09-29T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:postcss:postcss:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FB38A6C8-B41F-41C9-9093-E46BAC3B54CB", "versionEndExcluding": "8.4.31", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en PostCSS antes de la versi\u00f3n 8.4.31. La vulnerabilidad afecta a los linters que utilizan PostCSS para analizar CSS externos que no son de confianza. Un atacante puede preparar CSS de tal manera que contenga partes analizadas por PostCSS como un comentario CSS. Despu\u00e9s del procesamiento por PostCSS, se incluir\u00e1 en la salida de PostCSS en los nodos CSS (reglas, propiedades) a pesar de estar incluido en un comentario."}], "id": "CVE-2023-44270", "lastModified": "2024-11-21T08:25:33.443", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-29T22:15:11.867", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://github.com/github/advisory-database/issues/2820"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5"}, {"source": "cve@mitre.org", "tags": ["Patch", "Release Notes"], "url": "https://github.com/postcss/postcss/releases/tag/8.4.31"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://github.com/github/advisory-database/issues/2820"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Release Notes"], "url": "https://github.com/postcss/postcss/releases/tag/8.4.31"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}