CVE-2017-1001004

typed-function before 0.10.6 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.

CVSS v3 8.8 HIGH
CVSS v2.0 6.8 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/josdejong/typed-function/blob/master/HISTORY.md#2017-11-18-version-0106
https://github.com/josdejong/typed-function/commit/6478ef4f2c3f3c2d9f2c820e2db4b4ba3425e6fe

Configurations

Configuration 1 (hide)

cpe:2.3:a:typed_function_project:typed_function:*:*:*:*:*:*:*:*

History

07 Nov 2023, 02:37

Type	Values Removed	Values Added
References	~~(CONFIRM) https://github.com/josdejong/typed-function/commit/6478ef4f2c3f3c2d9f2c820e2db4b4ba3425e6fe - Issue Tracking, Patch~~	() https://github.com/josdejong/typed-function/commit/6478ef4f2c3f3c2d9f2c820e2db4b4ba3425e6fe -
References	~~(CONFIRM) https://github.com/josdejong/typed-function/blob/master/HISTORY.md#2017-11-18-version-0106 - Release Notes~~	() https://github.com/josdejong/typed-function/blob/master/HISTORY.md#2017-11-18-version-0106 -

Information

Published : 2017-11-27 14:29

Updated : 2024-02-28 16:04

NVD link : CVE-2017-1001004

Mitre link : CVE-2017-1001004

CVE.ORG link : CVE-2017-1001004

JSON object : View

Products Affected

typed_function_project

typed_function

CWE

CWE-20

Improper Input Validation

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2017-1001004", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2017-11-27T14:29:00.333", "references": [{"url": "https://github.com/josdejong/typed-function/blob/master/HISTORY.md#2017-11-18-version-0106", "source": "46fe6300-5254-4a98-9594-a9567bec8179"}, {"url": "https://github.com/josdejong/typed-function/commit/6478ef4f2c3f3c2d9f2c820e2db4b4ba3425e6fe", "source": "46fe6300-5254-4a98-9594-a9567bec8179"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "46fe6300-5254-4a98-9594-a9567bec8179", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "typed-function before 0.10.6 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution."}, {"lang": "es", "value": "Las versiones anteriores a la 0.10.6 de typed-function ten\u00edan una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo arbitrario en el motor de JavaScript La creaci\u00f3n de una funci\u00f3n escrita con c\u00f3digo JavaScript en el nombre podr\u00eda resultar en la ejecuci\u00f3n arbitraria."}], "lastModified": "2023-11-07T02:37:59.063", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:typed_function_project:typed_function:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BE759593-BF10-4875-8C88-AD101A08C6E5", "versionEndExcluding": "0.10.6"}], "operator": "OR"}]}], "sourceIdentifier": "46fe6300-5254-4a98-9594-a9567bec8179"}