CVE-2020-7660 | serialize-javascript:1.9.1 (CWE-502)

[ckalpakoglu]

Due Date: 2023-01-10

A high severity vulnerability has been discovered in your project.

Project Name: kondukto-ui-vue

Scanner Name: dependabot

Cwe ID: 502

Cwe Name: Deserialization of Untrusted Data

Cwe Link: https://cwe.mitre.org/data/definitions/502.html

File: package-lock.json

Packages:

• serialize-javascript:1.9.1

References:

• https://nvd.nist.gov/vuln/detail/CVE-2020-7660
• https://github.com/yahoo/serialize-javascript/commit/f21a6fb3ace2353413761e79717b2d210ba6ccbd
• https://github.com/advisories/GHSA-hxcc-f52p-wc94

Training(Secure Code Warrior):

• Name: Deserialization of Untrusted Data

• Description: The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

• Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/injection/deserialization

• Videos:

  • https://media.securecodewarrior.com/v2/Module_62_Insecure_Deserialization_v2.mp4

    ---

• Name: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

• Description: The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

• Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/injection

• Videos:

---

Tool Description: ### Summary

Insecure serialization leading to RCE in serialize-javascript

Fixed Patch

3.1.0

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

An object such as {"foo": /1"/, "bar": "a\"@__R--0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of ``. The UID has a keyspace of approximately 4 billion making it a realistic network attack.

Kondukto Link: https://82.kondukto.local/projects/63b2e875fcd0c2a01b845757/vulns/appsec?page=1&perPage=15&id=in:63bbc8a5b3a8a9664878e700 Deeplink: https://github.com/advisories/GHSA-hxcc-f52p-wc94

[ckalpakoglu]

The issue has been closed by Kondukto since it is marked as won't fix.