CVE-2021-21412
[thi.ng/egf] Potential arbitrary code execution of `#gpg`-tagged property values
描述
### Impact Potential for arbitrary code execution in `#gpg`-tagged property values (only if `decrypt: true` option is enabled) ### Patches [A fix](https://github.com/thi-ng/umbrella/commit/3e14765d6bfd8006742c9e7860bc7d58ae94dfa5) has already been released as v0.4.0 ### Workarounds By default, EGF parse functions do NOT attempt to decrypt values (since GPG is only available in non-browser env). However, if GPG encrypted values are used/required: 1. Perform a regex search for `#gpg`-tagged values in the EGF source file/string and check for backtick (\`) chars in the encrypted value string 2. Replace/remove them or skip parsing if present... ### References https://github.com/thi-ng/umbrella/security/advisories/GHSA-rj44-gpjc-29r7#advisory-comment-65261 ### For more information If you have any questions or comments about this advisory, please open an issue in the [thi.ng/umbrella repo](https://github.com/thi-ng/umbrella/issues), of which this package is part of.
如何修補 CVE-2021-21412
要修補 CVE-2021-21412,請將受影響套件升級到下列已修補版本。
- —升級至 0.4.0 或更新版本
CVE-2021-21412 正在被利用嗎?
低 — EPSS 為 1.1%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 0.4.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |