CVE-2019-10842

Publication date 4 April 2019

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute arbitrary code on the target system. Note that there are three underscore characters in the cookie name. This is unrelated to the __cfduid cookie that is legitimately used by Cloudflare.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
compass-bootstrap-sass-plugin	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
node-bootstrap-sass	18.10 cosmic	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
ruby-bootstrap-sass	18.10 cosmic	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not in release

Notes

msalvatore

v3.2.0.3 was removed from the RubyGEms registry and replaced with a malicious version on March 26th, 2019. The malicious version was removed 1 hour after it was uploaded. None of the bootstrap packages in Ubuntu are affected.

Severity score breakdown

Parameter	Value
Base score	9.8 · Critical
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H