CVE-2022-29230

Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability.

CVSS v3 5.4 MEDIUM
CVSS v2.0 3.5 LOW

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/Shopify/hydrogen/pull/1272	Issue Tracking Patch Third Party Advisory
https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0	Patch Third Party Advisory
https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:shopify:hydrogen:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2022-05-18 21:15

Updated : 2024-02-28 19:09

NVD link : CVE-2022-29230

Mitre link : CVE-2022-29230

CVE.ORG link : CVE-2022-29230

JSON object : View

Products Affected

shopify

hydrogen

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2022-29230", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2022-05-18T21:15:07.823", "references": [{"url": "https://github.com/Shopify/hydrogen/pull/1272", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability."}, {"lang": "es", "value": "Hydrogen es un marco de trabajo basado en React para la construcci\u00f3n de escaparates personalizados din\u00e1micos impulsados por Shopify. Se presenta una potencial vulnerabilidad de tipo Cross-Site Scripting (XSS) donde un usuario arbitrario es capaz de ejecutar scripts en p\u00e1ginas que son construidas con Hydrogen. Esto afecta a todas las versiones de Hydrogen desde versi\u00f3n 0.10.0 hasta 0.18.0. Esta vulnerabilidad es explotable en aplicaciones cuyos datos de hidrataci\u00f3n son controlados por el usuario. Todos los usuarios de Hydrogen deber\u00edan actualizar sus proyectos a versi\u00f3n 0.19.0. No se presenta una medida de mitigaci\u00f3n actual, y los usuarios deber\u00edan actualizar lo antes posible. Adem\u00e1s, la Pol\u00edtica de Seguridad de Contenidos no es una mitigaci\u00f3n efectiva para esta vulnerabilidad"}], "lastModified": "2022-06-01T19:55:39.590", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:shopify:hydrogen:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "17B85941-2E8A-464A-B36A-D690068208CA", "versionEndExcluding": "0.19.0", "versionStartIncluding": "0.10.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}