Vulnerability Description
The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Metarhia | Metacalc | < 0.0.2 |
Related Weaknesses (CWE)
References
- https://github.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d21PatchThird Party Advisory
- https://github.com/metarhia/metacalc/pull/16PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-METACALC-2826197ExploitThird Party Advisory
- https://github.com/metarhia/metacalc/commit/625c23d63eabfa16fc815f5832b147b08d21PatchThird Party Advisory
- https://github.com/metarhia/metacalc/pull/16PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-METACALC-2826197ExploitThird Party Advisory
FAQ
What is CVE-2022-21122?
CVE-2022-21122 is a vulnerability with a CVSS score of 9.0 (CRITICAL). The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get...
How severe is CVE-2022-21122?
CVE-2022-21122 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-21122?
Check the references section above for vendor advisories and patch information. Affected products include: Metarhia Metacalc.