#VU67156 Missing Authorization in jsdom - CVE-2021-20066

Cybersecurity Help s.r.o.

Published: 2022-09-09

Vulnerability identifier: #VU67156

Vulnerability risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-20066

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
jsdom
Web applications / JS libraries

Vendor: jsdom

Description

The vulnerability allows a remote attacker to manipulate local files.

The vulnerability exists due to JSDom improperly allows the loading of local resources. A remote attacker can manipulate local files using a malicious web page when script execution is enabled.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

jsdom: 16.4.0

External links
https://www.tenable.com/security/research/tra-2021-05
https://github.com/jsdom/jsdom/issues/3124#issuecomment-783502951

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Splunk Enterprise update for third-party packages

Multiple vulnerabilities in IBM Planning Analytics Workspace