Information Exposure Affecting org.webjars.bower:mermaid package, versions [,10.2.3)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.07% (33rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGWEBJARSBOWER-2936795
  • published29 Jun 2022
  • disclosed29 Jun 2022
  • creditUnknown

Introduced: 29 Jun 2022

CVE-2022-31108  (opens in a new tab)
CWE-200  (opens in a new tab)

How to fix?

Upgrade org.webjars.bower:mermaid to version 10.2.3 or higher.

Overview

org.webjars.bower:mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown.

Affected versions of this package are vulnerable to Information Exposure by injecting arbitrary CSS into the generated graph. Exploiting this vulnerability allows the attacker to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors.

PoC:

<html>

<body>
    <div id="target">
        <h1>This element does not belong to the SVG but we can style it</h1>
    </div>
    <svg id="diagram">
    </svg>

    <script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script>
    <script>
        mermaid.initialize({ startOnLoad: false });

        const graph =
            `
            %%{ init: { "themeVariables" : { "textColor": "green;} #target { background-color: crimson }" } } }%%
            graph TD
                A[Goose]
            `

        const diagram = document.getElementById("diagram")
        const svg = mermaid.render('diagram-svg', graph)
        diagram.innerHTML = svg
    </script>
</body>

</html>

References

CVSS Scores

version 3.1