Skip to content

Processing untrusted theming resources might execute arbitrary code (ACE)

High severity GitHub Reviewed Published Jan 29, 2021 in SAP/less-openui5 • Updated Feb 1, 2023

Package

npm less-openui5 (npm)

Affected versions

< 0.10.0

Patched versions

0.10.0

Description

Impact

When processing theming resources (i.e. *.less files) with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be executed in the context of the build process.

While this is a feature of the Less.js library, it is an unexpected behavior in the context of OpenUI5 and SAPUI5 development.

Especially in the context of UI5 Tooling, which relies on less-openui5, this poses a security threat:

An attacker might create a library or theme-library containing a custom control or theme, hiding malicious JavaScript code in one of the .less files.

This is an example of inline JavaScript in a Less file:

.rule {
	@var: `(function(){console.log('Hello from JavaScript'); process.exit(1);})()`;
	color: @var;
}

Starting with Less.js version 3.0.0, the Inline JavaScript feature is disabled by default. less-openui5 however currently uses a fork of Less.js v1.6.3.

Note that disabling the Inline JavaScript feature in Less.js versions 1.x, still evaluates code has additional double codes around it:

.rule {
	@var: "`(function(){console.log('Hello from JavaScript'); process.exit(1);})()`";
	color: @var;
}

Patches

We decided to remove the inline JavaScript evaluation feature completely from the code of our Less.js fork.

This fix is available in less-openui5 version v0.10.0

Workarounds

Only process trusted theming resources.

For more information

If you have any questions or comments about this advisory:

References

@matz3 matz3 published to SAP/less-openui5 Jan 29, 2021
Reviewed Jan 29, 2021
Published to the GitHub Advisory Database Jan 29, 2021
Published by the National Vulnerability Database Feb 16, 2021
Last updated Feb 1, 2023

Severity

High

EPSS score

0.125%
(48th percentile)

Weaknesses

CVE ID

CVE-2021-21316

GHSA ID

GHSA-3crj-w4f5-gwh4

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.