Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNjcmotdzRmNS1nd2g0
Processing untrusted theming resources might execute arbitrary code (ACE)
Impact
When processing theming resources (i.e. *.less files) with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be executed in the context of the build process.
While this is a feature of the Less.js library, it is an unexpected behavior in the context of OpenUI5 and SAPUI5 development.
Especially in the context of UI5 Tooling, which relies on less-openui5, this poses a security threat:
An attacker might create a library or theme-library containing a custom control or theme, hiding malicious JavaScript code in one of the .less files.
This is an example of inline JavaScript in a Less file:
.rule {
@var: `(function(){console.log('Hello from JavaScript'); process.exit(1);})()`;
color: @var;
}
Starting with Less.js version 3.0.0, the Inline JavaScript feature is disabled by default. less-openui5 however currently uses a fork of Less.js v1.6.3.
Note that disabling the Inline JavaScript feature in Less.js versions 1.x, still evaluates code has additional double codes around it:
.rule {
@var: "`(function(){console.log('Hello from JavaScript'); process.exit(1);})()`";
color: @var;
}
Patches
We decided to remove the inline JavaScript evaluation feature completely from the code of our Less.js fork.
This fix is available in less-openui5 version v0.10.0
Workarounds
Only process trusted theming resources.
For more information
If you have any questions or comments about this advisory:
- Open an issue in https://github.com/SAP/less-openui5
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNjcmotdzRmNS1nd2g0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Identifiers: GHSA-3crj-w4f5-gwh4, CVE-2021-21316
References:
- https://github.com/SAP/less-openui5/security/advisories/GHSA-3crj-w4f5-gwh4
- https://github.com/SAP/less-openui5/commit/c0d3a8572974a20ea6cee42da11c614a54f100e8
- https://www.npmjs.com/package/less-openui5
- https://github.com/SAP/less-openui5/releases/tag/v0.10.0
- http://lesscss.org/usage/#less-options-enable-inline-javascript-deprecated-
- https://nvd.nist.gov/vuln/detail/CVE-2021-21316
- https://github.com/advisories/GHSA-3crj-w4f5-gwh4
Blast Radius: 19.9
Affected Packages
npm:less-openui5
Dependent packages: 16Dependent repositories: 1,426
Downloads: 530,305 last month
Affected Version Ranges: < 0.10.0
Fixed in: 0.10.0
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.9.0
All unaffected versions: 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6