EIQ-2019-0033



ID

EIQ-2019-0033

CVE

CVE-2019-15657

Description

eslint-utils enables arbitrary code execution

Date

04 Sep 2019

Severity

4 - CRITICAL

CVSSv3 score

9.8

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg All versions

Assessment

eslint-utils versions 1.2.0 until 1.4.0 included could enable an attacker to inject malicious input by exploiting a vulnerability through the getStaticValue function: getStaticValue fails to correctly sanitize input.
The vulnerability does not affect the getStringIfConstant and getPropertyName functions.

An attacker could inject malicious input by passing it as an argument of the getStaticValue function.
This could enable an attacker to remotely execute arbitrary code on the targeted system during the linting process.

This vulnerability is a false positive: it affects only users that run ESLint on untrusted source code.

No EclecticIQ Platform release is affected, because we lint code internally, and we do not allow untrusted sources.
Therefore, there is no exposure surface to exploit the vulnerability in the platform.

Mitigation

Upgrade eslint-utils to version 1.4.1 or later, as per vendor's recommendation.

We test direct dependencies by scanning fixed builds, and then by checking the corresponding vulnerability reports to verify that they no longer include the addressed vulnerabilities.
At the moment, there is no way to reliably test indirect dependencies.

Affected versions

None

Notes

For more information, see:

< Back to all security issues and mitigation actions


In release notes 2.5.0