CVE-2022-39382

NODE_ENV in Keystone defaults to development with esbuild

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Keystone is a headless CMS for Node.js — built with GraphQL and React.`@keystone-6/core@3.0.0 || 3.0.1` users that use `NODE_ENV` to trigger security-sensitive functionality in their production builds are vulnerable to `NODE_ENV` being inlined to `"development"` for user code, irrespective of what your environment variables. If you do not use `NODE_ENV` in your user code to trigger security-sensitive functionality, you are not impacted by this vulnerability. Any dependencies that use `NODE_ENV` to trigger particular behaviors (optimizations, security or otherwise) should still respect your environment's configured `NODE_ENV` variable. The application's dependencies, as found in `node_modules` (including `@keystone-6/core`), are typically not compiled as part of this process, and thus should be unaffected. We have tested this assumption by verifying that `NODE_ENV=production yarn keystone start` still uses secure cookies when using `statelessSessions`. This vulnerability has been fixed in @keystone-6/core@3.0.2, regression tests have been added for this vulnerability in #8063.

Keystone es un CMS headless para Node.js construido con GraphQL y React.`@keystone-6/core@3.0.0 || 3.0.1` los usuarios que usan `NODE_ENV` para activar funciones sensibles a la seguridad en sus compilaciones de producción son vulnerables a que `NODE_ENV` se incluya en `"desarrollo"` para el código de usuario, independientemente de cuáles sean sus variables de entorno. Si no utiliza `NODE_ENV` en su código de usuario para activar funciones sensibles a la seguridad, esta vulnerabilidad no lo afecta. Cualquier dependencia que use `NODE_ENV` para desencadenar comportamientos particulares (optimizaciones, seguridad o de otro tipo) aún debe respetar la variable `NODE_ENV` configurada en su entorno. Las dependencias de la aplicación, como se encuentran en `node_modules` (incluido `@keystone-6/core`), normalmente no se compilan como parte de este proceso y, por lo tanto, no deberían verse afectadas. Hemos probado esta suposición verificando que `NODE_ENV = inicio clave del hilo de producción` todavía usa cookies seguras cuando se usan `statelessSessions`. Esta vulnerabilidad se solucionó en @keystone-6/core@3.0.2, se agregaron pruebas de regresión para esta vulnerabilidad en el número 8063.

*Credits: N/A

CVSS Scores

NISTv3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-02 CVE Reserved
2022-11-03 CVE Published
2024-06-24 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC
https://github.com/keystonejs/keystone/security/advisories/GHSA-25mx-2mxm-6343	2024-08-03

URL	Date	SRC
https://github.com/keystonejs/keystone/pull/8031	2022-11-04
https://github.com/keystonejs/keystone/pull/8063	2022-11-04

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Keystonejs Search vendor "Keystonejs"		Keystone Search vendor "Keystonejs" for product "Keystone"				3.0.0 Search vendor "Keystonejs" for product "Keystone" and version "3.0.0"		node.js		Affected
Keystonejs Search vendor "Keystonejs"		Keystone Search vendor "Keystonejs" for product "Keystone"				3.0.1 Search vendor "Keystonejs" for product "Keystone" and version "3.0.1"		node.js		Affected