vuln(NSWG-ECO-403): atob

[lirantal]

No description provided.

[ChALkeR]

Citing my comment:

The package info is now inconsistent — it claims "engines": { "node": ">= 0.4.0" }, but the code works only on 4.5.0 and above (as they are using Buffer.from without a polyfill). That is not a security issue though.

/cc @coolaj86

[ChALkeR]

AV:P seems incorrect. AC:H is better fit.

[lirantal]

do you thin AV is N? is this because you'd come up with a use-case where atob() is given a user input originated string?

Also, why AC: H? seems like the buffer vulnerability is of the same nature as others.

[lirantal]

cc @ChALkeR ^

[ChALkeR]

@lirantal Should be the same as 309, 391, 392, 393.
Those do not require physical access. There is no reason for this to be AC:P.

AC:H because it's hard to actually reproduce this on real apps — attacker-supplied content should end up there, which requires playing around other logic. I.e. it's not just «feed input over http», it's «try to find where user input is fed to atob and attempt to supply a typed number there». It requires inpecting other components and, perhaps, bypassing them.

I.e. there are other things required to be passed for this to be exploited, this is not trivially exploitable.

Note: I also don't agree on AC:L (and A:N) for 309, but whatever.

[ChALkeR]

CVSS vecor might need fixing.

[lirantal]

@ChALkeR ping for my comment on the CVSS part

[ChALkeR]

@lirantal Will take a look today, thanks!

[coolaj86]

Sorry, I've been slow.

I'll update the engines property and republish.

[coolaj86]

Published as atob@2.1.1

[lirantal]

@coolaj86 still >= 2.1.0 is not vulnerable, right?
@ChALkeR need you to review my comments on this PR

[lirantal]

Ok, updated report.

Applied all required changes