CVE-2013-4660

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that triggers an eval operation.

Published Bycve@mitre.org

Published DateJun 28, 2013, 14:55

Affected Versions(1)

js-yaml(npm)

Introduced0

Fixed2.0.5

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
js-yaml(npm)	0	2.0.5	N/A

Weakness Type (CWE):CWE-20

CVSS Metrics

Base Score

6.8

Vector String

AV:N/AC:M/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

http://portal.nodesecurity.io/advisories/js-yaml
https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/

Weakness Type (CWE):CWE-20

CVSS Metrics

Base Score

6.8

Vector String

AV:N/AC:M/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL