Arbitrary Code Injection Affecting org.webjars.npm:hot-formula-parser package, versions [,3.0.1)
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Integrity
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.58% (78th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGWEBJARSNPM-541329
- published 10 Jan 2020
- disclosed 18 Dec 2019
- credit Alexander Andersson
Introduced: 18 Dec 2019
CVE-2020-6836 Open this link in a new tabHow to fix?
Upgrade org.webjars.npm:hot-formula-parser
to version 3.0.1 or higher.
Overview
org.webjars.npm:hot-formula-parser is a Parser class that evaluates excel and mathematical formulas.
Affected versions of this package are vulnerable to Arbitrary Code Injection. The package doesn't sanitize values passed to the parse
function and concatenates it in an eval
call.
PoC
SUM([(function(){require('child_process').execSync('touch test')})(),2])