CVE-2022-43358 (High) detected in sassv0.4.7 - autoclosed

[mend-for-github-com]

CVE-2022-43358 - High Severity Vulnerability

Vulnerable Library - sassv0.4.7

Library home page: https://github.com/rstudio/sass.git

Found in HEAD commit: 72ced4d24cec0602ce04cccc9cc88945816a4f12

Found in base branch: main

Vulnerable Source Files (1)

/node_modules/node-sass/src/libsass/src/ast_selectors.cpp

Vulnerability Details

Stack overflow vulnerability in ast_selectors.cpp: in function Sass::ComplexSelector::has_placeholder in libsass:3.6.5-8-g210218, which can be exploited by attackers to cause a denial of service (DoS).

Publish Date: 2023-08-22

URL: CVE-2022-43358

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

[ananzh]

Issue understanding

Based on this issue from libsass sass/libsass#3178, the vulnerability comes from an unchecked recursive call from the following code leading to a stack overflow. If an attacker can craft input in a way to trigger this recursion, they could potentially cause the application to crash, making this a potential Denial-of-Service (DoS) vector.

bool ComplexSelector::has_placeholder() const {
    for (size_t i = 0, L = length(); i < L; ++i) {
        if (get(i)->has_placeholder()) return true;
    }
    return false;
}

For OpenSearch Dashboards, the primary concern is whether an attacker can control or inject malicious SCSS content into our application. Here is how node-sass is used in our app:

Webpack Configurations

• OpenSearch-Dashboards/packages/osd-optimizer/src/worker/webpack.config.ts

  Line 192 in 43fe5d5

  implementation: require('node-sass'),

  
  From the webpack configurations, sass-loader is used. This suggests that SCSS files will be processed using node-sass, which in turn uses Libsass.

• OpenSearch-Dashboards/packages/osd-ui-shared-deps/webpack.config.js

  Line 101 in 43fe5d5

  'sass-loader',

  
  Another webpack config about the use of sass-loader for .scss files.

Gruntfile

• OpenSearch-Dashboards/packages/osd-ui-framework/Gruntfile.js

  Line 85 in 43fe5d5

  sass.render(

  
  Here, sass.render is used to process some SCSS files. If the malicious SCSS content (like poc3) can be passed here, it can exploit the vulnerability.

How it impacts OpenSearch Dashboards

As we mentioned earlier, For OpenSearch Dashboards, the primary concern is whether an attacker can control or inject malicious SCSS content into our application. So let's shift the focus to how an attacker could inject some scss content into OpenSearch Dashboards.

Personally, I am not aware of any customized themes or extensions that allow users to update or customize themes, which in turn allows them to write or provide SCSS. We do have customize branding but mainly on logo #725 and this customize requires modifications on the config yml file.

@joshuarrrr @abbyhu2000 @AMoo-Miki do you guys know any possibilities that an attacker could upload a scss file to cause security issues?

I think this might not a security threat for now. But we should check the responses from sass/libsass#3178 and patch accordingly.

[AMoo-Miki]

I don't believe OSD uses node-sass at runtime or if it is even included in the release artifacts but I have a vague memory of OUI doing so.

[ananzh]

I have pull the latest release artifacts and have verified that node-sass is not included in the final release artifacts. Users are protected from direct exploitation of the vulnerability in a production environment.

[ananzh]

We will keep this CVE open until either libsass patches it or we dumped legacy packages.

[kavilla]

@AMoo-Miki do we think it's worth adding to a list of postinstall in case others attempt to install?

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.