PT-2019-12046 · Twitter · Bootstrap-Sass

Derek Barnes

Publicado

2019-04-04

Atualizado

2019-04-11

CVE-2019-10842

CVSS v2.0

Crítica

Vetor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions bootstrap-sass version 3.2.0.3

Description Arbitrary code execution was discovered in bootstrap-sass, allowing an unauthenticated attacker to craft the cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute arbitrary code on the target system. The issue is unrelated to the cfduid cookie used by Cloudflare. The vulnerable version has been downloaded around 28 million times.

Recommendations For version 3.2.0.3, update to version 3.2.0.4 to resolve the issue. As a temporary workaround, consider restricting access to the eval() function or disabling the execution of arbitrary code via the cfduid cookie until the update is applied.

Exploit

Correção

Code Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-94

Identificadores relacionados

CVE-2019-10842

GHSA-VQQV-V9M2-48P2

SNYK-RUBY-BOOTSTRAPSASS-174093

Produtos afetados

Bootstrap-Sass

PT-2019-12046 · Twitter · Bootstrap-Sass

CVE-2019-10842

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 10