PT-2024-40377 — Butterfly

PT-2024-40377 · Butterfly · Butterfly

Published

2024-10-24

Updated

2024-10-24

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions Butterfly (affected versions not specified)

Description The issue allows an attacker to execute arbitrary JavaScript code on the server by using the Butterfly.prototype.parseJSON or getJSON functions on an attacker-controlled crafted input string. This is possible because the parseJSON function uses eval and a regular expression to remove strings from the input, which can be tricked into treating part of the input as a string that the evaluator does not, due to a difference in interpretation regarding the Unicode zero-width joiner character. As a result, arbitrary programs can be run since Butterfly JavaScript code has access to Java classes.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Possible mitigations and additional defenses could include:

Replacing the JSON implementation with Rhino's built-in implementation.
Dropping all JSON-related and JSONP-related code entirely.
Restricting the access the JavaScript controller code has to the rest of the system by using initSafeStandardObjects instead of initStandardObjects, using setClassShutter, and so on.

Eval Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-185CWE-95

Related Identifiers

GHSA-MPCW-3J5P-P99X

Affected Products

Butterfly

Weakness Enumeration

Related Identifiers

Affected Products

References · 4