CVE-2023-22491

Exploit

EPSS 0.26%
Veröffentlicht 13.01.2023 19:15:12
Zuletzt bearbeitet 11.03.2025 14:15:16
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Gatsby is a free and open source framework based on React that helps developers build websites and apps. The gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the `gray-matter` npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized.  The vulnerability is present in gatsby-transformer-remark when passing input in data mode (querying MarkdownRemark nodes via GraphQL).  Injected JavaScript executes in the context of the build server. To exploit this vulnerability untrusted/unsanitized input would need to be sourced by or added into a file processed by gatsby-transformer-remark. A patch has been introduced in `gatsby-transformer-remark@5.25.1` and `gatsby-transformer-remark@6.3.2` which mitigates the issue by disabling the `gray-matter` JavaScript Frontmatter engine. As a workaround, if an older version of `gatsby-transformer-remark` must be used, input passed into the plugin should be sanitized ahead of processing. It is encouraged for  projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gatsbyjs ≫ Gatsby SwPlatformnode.js Version < 5.25.1

Gatsbyjs ≫ Gatsby Version6.3.1 SwPlatformnode.js

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.26%	0.492

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-7ch4-rr99-cqcw

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-22491

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-22491

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-22491

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-22491