fkie_cve-2024-29896
Vulnerability from fkie_nvd
Published
2024-03-28 13:15
Modified
2025-09-19 15:59
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Astro-Shield is a library to compute the subresource integrity hashes for your JS scripts and CSS stylesheets. When automated CSP headers generation for SSR content is enabled and the web application serves content that can be partially controlled by external users, then it is possible that the CSP headers generation feature might be "allow-listing" malicious injected resources like inlined JS, or references to external malicious scripts. The fix is available in version 1.3.0.
References
security-advisories@github.comhttps://github.com/KindSpells/astro-shield/commit/41b84576d37fa486a57005ea297658d0bc38566dPatch
security-advisories@github.comhttps://github.com/KindSpells/astro-shield/security/advisories/GHSA-w387-5qqw-7g8mVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/KindSpells/astro-shield/commit/41b84576d37fa486a57005ea297658d0bc38566dPatch
af854a3a-2127-422b-91ae-364da2661108https://github.com/KindSpells/astro-shield/security/advisories/GHSA-w387-5qqw-7g8mVendor Advisory
Impacted products
Vendor Product Version
kindspells astro-shield 1.2.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:kindspells:astro-shield:1.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "75039766-2D36-42E0-A4EE-5B2F4E8EFADC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Astro-Shield is a library to compute the subresource integrity hashes for your JS scripts and CSS stylesheets. When automated CSP headers generation for SSR content is enabled and the web application serves content that can be partially controlled by external users, then it is possible that the CSP headers generation feature might be \"allow-listing\" malicious injected resources like inlined JS, or references to external malicious scripts. The fix is available in version 1.3.0."
    },
    {
      "lang": "es",
      "value": "Astro-Shield es una librer\u00eda para calcular los hashes de integridad de los subrecursos para sus scripts JS y hojas de estilo CSS. Cuando la generaci\u00f3n automatizada de encabezados CSP para contenido SSR est\u00e1 habilitada y la aplicaci\u00f3n web ofrece contenido que puede ser controlado parcialmente por usuarios externos, entonces es posible que la funci\u00f3n de generaci\u00f3n de encabezados CSP pueda \"listar permitidos\" recursos maliciosos inyectados como JS en l\u00ednea o referencias a scripts maliciosos externos. La soluci\u00f3n est\u00e1 disponible en la versi\u00f3n 1.3.0."
    }
  ],
  "id": "CVE-2024-29896",
  "lastModified": "2025-09-19T15:59:51.790",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-03-28T13:15:47.717",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/KindSpells/astro-shield/commit/41b84576d37fa486a57005ea297658d0bc38566d"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/KindSpells/astro-shield/security/advisories/GHSA-w387-5qqw-7g8m"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/KindSpells/astro-shield/commit/41b84576d37fa486a57005ea297658d0bc38566d"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/KindSpells/astro-shield/security/advisories/GHSA-w387-5qqw-7g8m"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.