GHSA-MXJR-XMCG-FG7W

Vulnerability from github – Published: 2019-06-27 17:25 – Updated: 2021-08-17 15:41
VLAI?
Summary
Arbitrary Code Injection in mobile-icon-resizer
Details

mobile-icon-resizer resizes large images for use as icons for iOS and Android.

mobile-icon-resizer has a code execution vulnerability in versions before 0.4.3.

mobile-icon-resizer takes an options object as an argument to define the resulting icons as such:

var options = {
  config: './config.js'
}
resize(options, function(err){});

config.js would need to be a file on the filesystem and look something like:

var config = {
  iOS: {
    "images": [
     /* iOS image definitions are not vulnerable */
    ]
  },
  android: {
    "images" : [
      {
        "baseRatio" : "console.log('Executing script as baseRatio property')",
        "folder" : "drawable-ldpi"
      },
      {
        "ratio" : "console.log('Executing script as ratio property')",
        "folder" : "drawable-mdpi"
      },
    /* other android image defintiions ... */
    ]
  }
};

exports = module.exports = config;

The parameters ratio and baseRatio are passed directly to eval(), thus allowing dynamic javascript payloads to be executed.

Recommendation

Update to version 0.4.3 or later.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mobile-icon-resizer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.0"
            },
            {
              "fixed": "0.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-06-27T15:58:50Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "mobile-icon-resizer resizes large images for use as icons for iOS and Android.\n\nmobile-icon-resizer has a code execution vulnerability in versions before 0.4.3.\n\nmobile-icon-resizer takes an options object as an argument to define the resulting icons as such:\n```\nvar options = {\n  config: \u0027./config.js\u0027\n}\nresize(options, function(err){});\n```\nconfig.js would need to be a file on the filesystem and look something like:\n```\nvar config = {\n  iOS: {\n    \"images\": [\n     /* iOS image definitions are not vulnerable */\n    ]\n  },\n  android: {\n    \"images\" : [\n      {\n        \"baseRatio\" : \"console.log(\u0027Executing script as baseRatio property\u0027)\",\n        \"folder\" : \"drawable-ldpi\"\n      },\n      {\n        \"ratio\" : \"console.log(\u0027Executing script as ratio property\u0027)\",\n        \"folder\" : \"drawable-mdpi\"\n      },\n    /* other android image defintiions ... */\n    ]\n  }\n};\n\nexports = module.exports = config;\n```\nThe parameters `ratio` and `baseRatio` are passed directly to `eval()`, thus allowing dynamic javascript payloads to be executed.\n\n\n## Recommendation\n\nUpdate to version 0.4.3 or later.",
  "id": "GHSA-mxjr-xmcg-fg7w",
  "modified": "2021-08-17T15:41:58Z",
  "published": "2019-06-27T17:25:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/muzzley/mobile-icon-resizer/issues/8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/muzzley/mobile-icon-resizer/commit/a6c50f884bd282d74ab77e1fce6317d5d0dd2f0f"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/npm:mobile-icon-resizer:20160408"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/317"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Arbitrary Code Injection in mobile-icon-resizer"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.