nvd-json-data-feeds/CVE-2021/CVE-2021-213xx/CVE-2021-21316.json

{
  "id": "CVE-2021-21316",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2021-02-16T18:15:12.490",
  "lastModified": "2024-11-21T05:48:00.423",
  "vulnStatus": "Modified",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "less-openui5 is an npm package which enables building OpenUI5 themes with Less.js. In less-openui5 before version 0.10., when processing theming resources (i.e. `*.less` files) with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be executed in the context of the build process. While this is a feature of the Less.js library it is an unexpected behavior in the context of OpenUI5 and SAPUI5 development. Especially in the context of UI5 Tooling which relies on less-openui5. An attacker might create a library or theme-library containing a custom control or theme, hiding malicious JavaScript code in one of the .less files. Refer to the referenced GHSA-3crj-w4f5-gwh4 for examples. Starting with Less.js version 3.0.0, the Inline JavaScript feature is disabled by default. less-openui5 however currently uses a fork of Less.js v1.6.3. Note that disabling the Inline JavaScript feature in Less.js versions 1.x, still evaluates code has additional double codes around it. We decided to remove the inline JavaScript evaluation feature completely from the code of our Less.js fork. This fix is available in less-openui5 version 0.10.0."
    },
    {
      "lang": "es",
      "value": "less-openui5 es un paquete npm que permite construir temas de OpenUI5 con Less.js. En less-openui5 versiones anteriores a 0.10., cuando se procesan recursos de tematizaci\u00f3n (es decir, archivos \"*.less\") con less-openui5 que se originan desde una fuente no confiable, esos recursos podr\u00edan contener c\u00f3digo JavaScript que se ejecutar\u00e1 en el contexto del proceso de compilaci\u00f3n. Aunque esta es una funcionalidad de la biblioteca Less.js, es un comportamiento inesperado en el contexto del desarrollo de OpenUI5 y SAPUI5. Especialmente en el contexto de UI5 Tooling que depende de less-openui5. Un atacante podr\u00eda crear una biblioteca o biblioteca de tema que contenga un control o tema personalizado, ocultando c\u00f3digo JavaScript malicioso en uno de los archivos .less. Consulte la referencia GHSA-3crj-w4f5-gwh4 para visualizar ejemplos. A partir de Less.js versi\u00f3n 3.0.0, la funci\u00f3n Inline JavaScript est\u00e1 deshabilitada por defecto. Sin embargo, less-openui5 usa actualmente un derivaci\u00f3n de Less.js versi\u00f3n v1.6.3. Note que al deshabilitar la funcionalidad Inline JavaScript en las versiones 1.x de Less.js, se sigue evaluando el c\u00f3digo con c\u00f3digos dobles adicionales a su alrededor. Hemos decidido eliminar completamente la funcionalidad de evaluaci\u00f3n de JavaScript en l\u00ednea del c\u00f3digo de nuestra derivaci\u00f3n de Less.js. Esta correcci\u00f3n est\u00e1 disponible en less-openui5 versi\u00f3n 0.10.0"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "REQUIRED",
          "scope": "CHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 4.0
      },
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "baseScore": 6.8,
          "accessVector": "NETWORK",
          "accessComplexity": "MEDIUM",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "PARTIAL"
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": true
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:less-openui5_project:less-openui5:*:*:*:*:*:node.js:*:*",
              "versionEndExcluding": "0.10.0",
              "matchCriteriaId": "3708A086-29BC-4569-9966-7E17A3063DD6"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "http://lesscss.org/usage/#less-options-enable-inline-javascript-deprecated-",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/SAP/less-openui5/commit/c0d3a8572974a20ea6cee42da11c614a54f100e8",
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/SAP/less-openui5/releases/tag/v0.10.0",
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/SAP/less-openui5/security/advisories/GHSA-3crj-w4f5-gwh4",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://www.npmjs.com/package/less-openui5",
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Third Party Advisory"
      ]
    },
    {
      "url": "http://lesscss.org/usage/#less-options-enable-inline-javascript-deprecated-",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/SAP/less-openui5/commit/c0d3a8572974a20ea6cee42da11c614a54f100e8",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/SAP/less-openui5/releases/tag/v0.10.0",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/SAP/less-openui5/security/advisories/GHSA-3crj-w4f5-gwh4",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://www.npmjs.com/package/less-openui5",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product",
        "Third Party Advisory"
      ]
    }
  ]
}