Arbitrary Code Execution

Affecting nuclide package, versions <0.290.0

Overview

nuclide is a collection of features for Atom to provide IDE-like functionality for a variety of programming languages and technologies.

Affected versions of this package are vulnerable to Arbitrary Code Execution. The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor's context, which could potentially be chained to lead to code execution.

Remediation

Upgrade nuclide to version 0.290.0 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

8.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/RL:O
Credit
Unknown
CVE
CVE-2018-6333
CWE
CWE-94
Snyk ID
SNYK-JS-NUCLIDE-72876
Disclosed
17 Mar, 2018
Published
02 Jan, 2019