CVE-2014-7205
published 2014-10-08CVE-2014-7205: Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js…
PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
78.58%
99.5th percentile
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bassmaster_project | bassmaster | < 1.5.2 | 1.5.2 |
| bassmaster_project | bassmaster | >= 0 < 1.5.2 | 1.5.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to the /batch endpoint containing nested JSON with a 'requests' array where a 'path' value includes JavaScript injection patterns such as appended expressions (e.g., +'<string>') matching the regex /(?:\/)(?:\$(\d)+\.)?([^\/\$]*)/g ↗
- →Flag HTTP POST requests to /batch with Content-Type application/json where path values in the requests array contain JavaScript operators or string concatenation characters (e.g., +', eval-injectable payloads) beyond normal path characters ↗
- →Look for use of \x2f (hex-encoded forward slash) in HTTP request bodies targeting the batch endpoint, used to bypass regex matching while injecting code ↗
- →Monitor for outbound wget requests from the Node.js server process to attacker-controlled hosts on non-standard ports (default 1337), followed by execution of a newly written binary in /tmp/ ↗
- ·The vulnerable route path (/batch) and server port (8080) are defaults from the examples/batch.js file; production deployments may use different paths and ports, requiring tuning of detection rules accordingly. ↗
- ·The exploit targets unauthenticated access to the batch endpoint; if the deployment requires authentication, the attack surface is reduced but the underlying eval injection vulnerability in lib/batch.js still exists in bassmaster < 1.5.2. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Arbitrary JavaScript Execution in bassmaster
osv·2017-10-24
CVE-2014-7205 [CRITICAL] Arbitrary JavaScript Execution in bassmaster
Arbitrary JavaScript Execution in bassmaster
A vulnerability exists in bassmaster <= 1.5.1 that allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval.
## Recommendation
Update to bassmaster version 1.5.2 or greater.
GHSA
Arbitrary JavaScript Execution in bassmaster
ghsa·2017-10-24
CVE-2014-7205 [CRITICAL] CWE-94 Arbitrary JavaScript Execution in bassmaster
Arbitrary JavaScript Execution in bassmaster
A vulnerability exists in bassmaster <= 1.5.1 that allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval.
## Recommendation
Update to bassmaster version 1.5.2 or greater.
OSV
nagios3 regression
osv·2017-06-07·CVSS 5.5
CVE-2013-7108 nagios3 regression
nagios3 regression
USN-3253-1 fixed vulnerabilities in Nagios. The update prevented log files
from being displayed in the web interface. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that Nagios incorrectly handled certain long strings. A
remote authenticated attacker could use this issue to cause Nagios to
crash, resulting in a denial of service, or possibly obtain sensitive
information. (CVE-2013-7108, CVE-2013-7205)
It was discovered that Nagios incorrectly handled certain long messages to
cmd.cgi. A remote attacker could possibly use this issue to cause Nagios to
crash, resulting in a denial of service. (CVE-2014-1878)
Dawid Golunski discovered that Nagios incorrectly handled symlinks when
accessing log files. A lo
OSV
nagios3 vulnerabilities
osv·2017-04-03·CVSS 5.5
CVE-2013-7108 nagios3 vulnerabilities
nagios3 vulnerabilities
It was discovered that Nagios incorrectly handled certain long strings. A
remote authenticated attacker could use this issue to cause Nagios to
crash, resulting in a denial of service, or possibly obtain sensitive
information. (CVE-2013-7108, CVE-2013-7205)
It was discovered that Nagios incorrectly handled certain long messages to
cmd.cgi. A remote attacker could possibly use this issue to cause Nagios to
crash, resulting in a denial of service. (CVE-2014-1878)
Dawid Golunski discovered that Nagios incorrectly handled symlinks when
accessing log files. A local attacker could possibly use this issue to
elevate privileges. In the default installation of Ubuntu, this should be
prevented by the Yama link restrictions. (CVE-2016-9566)
No detection rules found.
Exploit-DB
Bassmaster 1.5.1 - Batch Arbitrary JavaScript Injection Remote Code Execution (Metasploit)
exploitdb·2016-11-02
CVE-2014-7205 Bassmaster 1.5.1 - Batch Arbitrary JavaScript Injection Remote Code Execution (Metasploit)
Bassmaster 1.5.1 - Batch Arbitrary JavaScript Injection Remote Code Execution (Metasploit)
---
require 'msf/core'
class MetasploitModule 'Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution',
'Description' => %q{
This module exploits an un-authenticated code injection vulnerability in the bassmaster
nodejs plugin for hapi. The vulnerability is within the batch endpoint and allows an
attacker to dynamically execute JavaScript code on the server side using an eval.
Note that the code uses a '\x2f' character so that we hit the match on the regex.
},
'Author' =>
[
'mr_me ', # msf
'Jarda Kotesovec' # original bug finder
],
'References' =>
[
[ 'CVE', '2014-7205'],
[ 'URL', 'https://nodesecurity.io/advisories/bassmaster_js_injection'], # nodejs advisory
],
'License' => MSF_L
Metasploit
Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution
metasploit
Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution
Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution
This module exploits an un-authenticated code injection vulnerability in the bassmaster nodejs plugin for hapi. The vulnerability is within the batch endpoint and allows an attacker to dynamically execute JavaScript code on the server side using an eval. Note that the code uses a '\x2f' character so that we hit the match on the regex.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2014/09/30/10http://www.securityfocus.com/bid/70180https://exchange.xforce.ibmcloud.com/vulnerabilities/96730https://github.com/hapijs/bassmaster/commit/b751602d8cb7194ee62a61e085069679525138c4https://nodesecurity.io/advisories/bassmaster_js_injectionhttps://www.exploit-db.com/exploits/40689/http://www.openwall.com/lists/oss-security/2014/09/30/10http://www.securityfocus.com/bid/70180https://exchange.xforce.ibmcloud.com/vulnerabilities/96730https://github.com/hapijs/bassmaster/commit/b751602d8cb7194ee62a61e085069679525138c4https://nodesecurity.io/advisories/bassmaster_js_injectionhttps://www.exploit-db.com/exploits/40689/
2014-10-08
Published