Headline
CVE-2020-5529: HtmlUnit vulenerable to arbitrary code execution
HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.
Published:2020/02/10 Last Updated:2020/02/10
Overview
HtmlUnit contains code execution vulnerabitilies.
Products Affected
- HtmlUnit prior to 2.37.0
Description
HtmlUnit is a Java-based library which provides web browser functionality to Java programs, and it supports JavaScript evaluation with embedded Mozilla Rhino engine.
Mozilla Rhino engine offers a feature to make Java objects available from JavaScript.
HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application(CWE-284).
Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.
Impact
Through man-in-the-middle attack or in some other way, an attacker may lead the target application to evaluate malicious JavaScript code, which executes arbitrary Java code.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector(AV)
Physical §
Local (L)
Adjacent (A)
Network (N)
Attack Complexity(AC)
High (H)
Low (L)
Privileges Required(PR)
High (H)
Low (L)
None (N)
User Interaction(UI)
Required ®
None (N)
Scope(S)
Unchanged (U)
Changed ©
Confidentiality Impact©
None (N)
Low (L)
High (H)
Integrity Impact(I)
None (N)
Low (L)
High (H)
Availability Impact(A)
None (N)
Low (L)
High (H)
CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:P
Access Vector(AV)
Local (L)
Adjacent Network (A)
Network (N)
Access Complexity(AC)
High (H)
Medium (M)
Low (L)
Authentication(Au)
Multiple (M)
Single (S)
None (N)
Confidentiality Impact©
None (N)
Partial §
Complete ©
Integrity Impact(I)
None (N)
Partial §
Complete ©
Availability Impact(A)
None (N)
Partial §
Complete ©
Comment
This analysis assumes that the application fetches and evaluates some web content automatically, and that the attacker does man-in-the-middle attack.
Credit
ICHIHARA Ryohei of DMM.com LLC reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
Related news
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.