Name: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Description: The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Insecure serialization leading to RCE in serialize-javascript
Fixed Patch
3.1.0
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R--0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of ``. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
Due Date: 2023-01-10
A high severity vulnerability has been discovered in your project.
Project Name: kondukto-ui-vue
Scanner Name: dependabot
Cwe ID: 502
Cwe Name: Deserialization of Untrusted Data
Cwe Link: https://cwe.mitre.org/data/definitions/502.html
File: package-lock.json
Packages:
References:
Training(Secure Code Warrior):
Name: Deserialization of Untrusted Data
Description: The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/injection/deserialization
Videos:
Name: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Description: The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/injection
Videos:
Tool Description: ### Summary
Insecure serialization leading to RCE in serialize-javascript
Fixed Patch
3.1.0
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as
{"foo": /1"/, "bar": "a\"@__R--0__@"}
was serialized as{"foo": /1"/, "bar": "a\/1"/}
, which allows an attacker to escape thebar
key. This requires the attacker to control the values of bothfoo
andbar
and guess the value of ``. The UID has a keyspace of approximately 4 billion making it a realistic network attack.Kondukto Link: https://82.kondukto.local/projects/63b2e875fcd0c2a01b845757/vulns/appsec?page=1&perPage=15&id=in:63bbc8a5b3a8a9664878e700 Deeplink: https://github.com/advisories/GHSA-hxcc-f52p-wc94