Bug ID 1232683
Summary VUL-0: CVE-2024-21537: nodejs-electron: lilconfig: insecure usage of eval in the dynamicImport function
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.6
Hardware Other
URL https://smash.suse.de/issue/426383/
OS Other
Status NEW
Severity Major
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter camila.matos@suse.com
QA Contact security-team@suse.de
CC brunopitrus@hotmail.com, camila.matos@suse.com, security-team@suse.de, smash_bz@suse.de
Blocks 1232672
Target Milestone ---
Found By Security Response Team
Blocker ---

+++ This bug was initially created as a clone of Bug #1232672 +++

Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to
Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport
function. An attacker can exploit this vulnerability by passing a malicious
input through the defaultLoaders function.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21537
https://www.cve.org/CVERecord?id=CVE-2024-21537
https://github.com/antonk52/lilconfig/commit/2c68a1ab8764fc74acc46771e1ad39ab07a9b0a7
https://github.com/antonk52/lilconfig/pull/48
https://github.com/antonk52/lilconfig/releases/tag/v3.1.1
https://security.snyk.io/vuln/SNYK-JS-LILCONFIG-6263789


You are receiving this mail because: