CVE-2021-21277
Angular Expressions - Remote Code Execution
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node". In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call "expressions.compile(userControlledInput)" where "userControlledInput" is text that comes from user input. The security of the package could be bypassed by using a more complex payload, using a ".constructor.constructor" technique. In terms of impact: If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution. This is fixed in version 1.1.2 of angular-expressions A temporary workaround might be either to disable user-controlled input that will be fed into angular-expressions in your application or allow only following characters in the userControlledInput.
angular-expressions son "angular's nicest part extracted as a standalone module for the browser and node". En angular-expressions anteriores a la versión 1.1.2, existe una vulnerabilidad que permite una Ejecución de Código Remota si llama a "expression.compile(userControlledInput)" donde "userControlledInput" es texto que proviene de la entrada del usuario. La seguridad del paquete podría omitirse usando una carga útil más compleja, utilizando una técnica ".constructor.constructor". En términos de impacto: si ejecuta angular-expressions en el navegador, un atacante podría ejecutar cualquier script del navegador cuando el código de la aplicación llame a expression.compile(userControlledInput). Si ejecuta angular-expressions en el servidor, un atacante podría ejecutar cualquier expresión de Javascript, obteniendo así una ejecución de código remota. Esto se corrigió en la versión 1.1.2 de angular-expressions. Una solución temporal podría ser deshabilitar la entrada controlada por el usuario que se alimentará en angular-expressions en su aplicación o permitir solo seguir caracteres en el userControlledInput
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-12-22 CVE Reserved
- 2021-02-01 CVE Published
- 2024-08-03 CVE Updated
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://www.npmjs.com/package/angular-expressions | Product |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/peerigon/angular-expressions/commit/07edb62902b1f6127b3dcc013da61c6316dd0bf1 | 2022-10-19 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Peerigon Search vendor "Peerigon" | Angular-expressions Search vendor "Peerigon" for product "Angular-expressions" | < 1.1.2 Search vendor "Peerigon" for product "Angular-expressions" and version " < 1.1.2" | node.js |
Affected
| ||||||