CVE-2022-39382
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Keystone is a headless CMS for Node.js — built with GraphQL and React.@keystone-6/core@3.0.0 || 3.0.1 users that use NODE_ENV to trigger security-sensitive functionality in their production builds are vulnerable to NODE_ENV being inlined to "development" for user code, irrespective of what your environment variables. If you do not use NODE_ENV in your user code to trigger security-sensitive functionality, you are not impacted by this vulnerability. Any dependencies that use NODE_ENV to trigger particular behaviors (optimizations, security or otherwise) should still respect your environment's configured NODE_ENV variable. The application's dependencies, as found in node_modules (including @keystone-6/core), are typically not compiled as part of this process, and thus should be unaffected. We have tested this assumption by verifying that NODE_ENV=production yarn keystone start still uses secure cookies when using statelessSessions. This vulnerability has been fixed in @keystone-6/core@3.0.2, regression tests have been added for this vulnerability in #8063.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| keystonejs | keystone | >= 3.0.0, < 3.0.2 | affected |
Weaknesses
- CWE-74: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/keystonejs/keystone/security/advisories/GHSA-25mx-2mxm-6343
- https://github.com/keystonejs/keystone/pull/8031/
- https://github.com/keystonejs/keystone/pull/8063
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
References
- https://github.com/keystonejs/keystone/security/advisories/GHSA-25mx-2mxm-6343
- https://github.com/keystonejs/keystone/pull/8031/
- https://github.com/keystonejs/keystone/pull/8063
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.