EIQ-2019-0033

ID	EIQ-2019-0033
CVE	CVE-2019-15657
Description	eslint-utils enables arbitrary code execution
Date	04 Sep 2019
Severity	4 - CRITICAL
CVSSv3 score	9.8
Status	All versions
Assessment	eslint-utils versions 1.2.0 until 1.4.0 included could enable an attacker to inject malicious input by exploiting a vulnerability through the `getStaticValue` function: `getStaticValue` fails to correctly sanitize input. The vulnerability does not affect the `getStringIfConstant` and `getPropertyName` functions. An attacker could inject malicious input by passing it as an argument of the `getStaticValue` function. This could enable an attacker to remotely execute arbitrary code on the targeted system during the linting process. This vulnerability is a false positive: it affects only users that run ESLint on untrusted source code. No EclecticIQ Platform release is affected, because we lint code internally, and we do not allow untrusted sources. Therefore, there is no exposure surface to exploit the vulnerability in the platform.
Mitigation	Upgrade eslint-utils to version 1.4.1 or later, as per vendor's recommendation. We test direct dependencies by scanning fixed builds, and then by checking the corresponding vulnerability reports to verify that they no longer include the addressed vulnerabilities. At the moment, there is no way to reliably test indirect dependencies.
Affected versions	None
Notes	For more information, see: npm security advisory about the vulnerability Snyk report about the vulnerability eslint-utils security advisory GitHub commit with the fix CWE-20 CWE-94

< Back to all security issues and mitigation actions

In release notes 2.5.0