Arbitrary Code Injection

Affecting org.webjars.npm:hot-formula-parser artifact, versions [,3.0.1)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.webjars.npm:hot-formula-parser is a Parser class that evaluates excel and mathematical formulas.

Affected versions of this package are vulnerable to Arbitrary Code Injection. The package doesn't sanitize values passed to the parse function and concatenates it in an eval call.

PoC

SUM([(function(){require('child_process').execSync('touch test')})(),2])

Remediation

Upgrade org.webjars.npm:hot-formula-parser to version 3.0.1 or higher.

References

CVSS Score

7.6
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    High
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
Credit
Alexander Andersson
CVE
CVE-2020-6836
CWE
CWE-94
Snyk ID
SNYK-JAVA-ORGWEBJARSNPM-541329
Disclosed
18 Dec, 2019
Published
10 Jan, 2020