Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-27848: Vulnerability-Reports/report.md at 9d65add2bca71ed6d6b2e281ee6790a12504ff8e · omnitaint/Vulnerability-Reports

broccoli-compass v0.2.4 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

CVE
Open in Source
#vulnerability#linux#nodejs#js#git#rce

Vulnerability in broccoli-compass

This report details an ACI vulnerability affecting [email protected].

Package source

  • https://www.npmjs.com/broccoli-compass
  • https://github.com/g13013/broccoli-compass

Package description

“Sass-compass plugin for Broccoli”

Vulnerability Overview

Affected versions of this package are vulnerable to arbitrary command injection (CWE-77 [1]).

If an attacker-controlled filename is included in the list of files passed to “broccoli-compass” via its “files” option, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.

This vulnerability is due to use of the child_process exec function without input sanitization. The Node.js API documentation states that unsanitized user input should never be passed to exec [2].

[1] https://cwe.mitre.org/data/definitions/77.html

[2] https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback

Reproduction

A filename that contains a bash exploit payload must be provided in the list of files that “broccoli-compass” accepts as an argument. This can occur if another Node.js application includes “broccoli-compass” as a dependency and allows user-influenced filenames to reach the files list passed to "broccoli-compass".

The proof-of-concept (PoC) program below illustrates the issue. Executing this code will cause the command touch success to be executed, leading to the creation of a file called success.

var compileSass = require(‘broccoli-compass’); var user_provided_filename = '$(touch success);#’; compileSass({}, { 'files’: [user_provided_filename] }).write('.’, ‘.’);

Environment: Node.js v15.5.1 on Linux

Steps to reproduce:

  1. npm i [email protected]
  2. Create a file, e.g., poc0.js, containing the PoC code.
  3. Execute the file: node poc0.js

A file called success will be created as a result of the execution of the PoC.

Related news

GHSA-wq8f-xmq3-5vq9: Remote code execution in broccoli-compass

broccoli-compass v0.2.4 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE