CVE-2021-21277 Information

Description

angular-expressions is ngular’s nicest part extracted as a standalone module for the browser and node. In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call xpressions.compile(userControlledInput)\ where �serControlledInput\ is text that comes from user input. The security of the package could be bypassed by using a more complex payload using a .constructor.constructor\ technique. In terms of impact: If running angular-expressions in the browser an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server an attacker could run any Javascript expression thus gaining Remote Code Execution. This is fixed in version 1.1.2 of angular-expressions A temporary workaround might be either to disable user-controlled input that will be fed into angular-expressions in your application or allow only following characters in the userControlledInput.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html https://www.npmjs.com/package/angular-expressions https://github.com/peerigon/angular-expressions/security/advisories/GHSA-j6px-jwvv-vpwq https://github.com/peerigon/angular-expressions/commit/07edb62902b1f6127b3dcc013da61c6316dd0bf1

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8