CVE-2021-4229 — Hidden Functionality in Project Ua-parser-js

CWE-912 — Hidden Functionality CWE-829 — Inclusion of Functionality from Untrusted Control Sphere5 documents5 sources

Severity

8.8HIGHNVD

CNA5.0

EPSS

0.9%

top 24.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ua-parser-js Project Ua-parser-js

Timeline

PublishedMay 24

Description

A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended to upgrade the affected component.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶npmua-parser-js_project/ua-parser-js0.7.29 — 0.7.30+2

▶NVDua-parser-js_project/ua-parser-js0.7.29, 0.8.0, 1.0.0+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

ua-parser-js Crypto Mining backdoor↗2022-05-24

▶

GHSA

Embedded malware in ua-parser-js↗2021-10-22

▶

OSV

Embedded malware in ua-parser-js↗2021-10-22

▶

📋Vendor Advisories

Debian

CVE-2021-4229: node-ua-parser-js - A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated ...↗2021

▶