CVE-2020-14000
https://notcve.org/view.php?id=CVE-2020-14000
MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain _ characters, resulting in remote code execution because the URL's content is treated as a script and is executed as a worker. The responsible code is getExtensionIdForOpcode in serialization/sb3.js. The use of _ is incompatible with a protection mechanism in older versions, in which URLs were split and consequently deserialization attacks were prevented. NOTE: the scratch.mit.edu hosted service is not affected because of the lack of worker scripts. MIT Lifelong Kindergarten Scratch scratch-vm versiones anteriores a 0.2.0-prerelease.20200714185213, carga una URL de extensión de archivos project.json no confiables con determinados caracteres _, resultando en una ejecución de código remota porque el contenido de la URL es tratado como un script y es ejecutado como un trabajador. • https://github.com/ossf-cve-benchmark/CVE-2020-14000 https://github.com/LLK/scratch-vm/pull/2476 https://scratch.mit.edu/discuss/topic/422904/?page=1#post-4223443 • CWE-502: Deserialization of Untrusted Data •