CVE-2020-5219 : Angular Expressions before version 1.0.1 has a remote code execution vulnerabili

Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution.

Published 2020-01-24 16:15:11

Updated 2020-01-31 20:50:01

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2020-5219

Peerigon » Angular-expressions » For Node.js
Versions before (<) 1.0.1
cpe:2.3:a:peerigon:angular-expressions:*:*:*:*:*:node.js:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-5219

EPSS FAQ

0.72%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 70 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-5219

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.7	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N	2.3	5.8	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2020-5219

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2020-5219

https://github.com/peerigon/angular-expressions/commit/061addfb9a9e932a970e5fcb913d020038e65667

Disallow access to prototype chain (CVE-2020-5219) · peerigon/angular-expressions@061addf · GitHub
Patch
https://github.com/peerigon/angular-expressions/security/advisories/GHSA-hxhm-96pp-2m43

Angular Expressions - Remote Code Execution · Advisory · peerigon/angular-expressions · GitHub
Mitigation;Third Party Advisory
http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html

AngularJS: Angular 1.6 - Expression Sandbox Removal
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-5219

Products affected by CVE-2020-5219

Exploit prediction scoring system (EPSS) score for CVE-2020-5219

CVSS scores for CVE-2020-5219

CWE ids for CVE-2020-5219

References for CVE-2020-5219