CVE-2023-44270Injection in Postcss

CWE-74InjectionCWE-144Improper Neutralization of Line DelimitersCWE-93CRLF Injection7 documents6 sources
Severity
5.3MEDIUMNVD
EPSS
0.2%
top 55.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
PostcssDebian Node-postcssMsrc Azl3 Python-tensorboard 2.16.2-6 ON Azure Linux 3.0
Timeline
PublishedSep 29
Latest updateSep 30

Description

An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

NVDpostcss/postcss< 8.4.31
npmpostcss/postcss< 8.4.31
debiandebian/node-postcss< node-postcss 8.4.20+~cs8.0.23-1+deb12u1 (bookworm)

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
PostCSS line return parsing error2023-09-30
OSV
PostCSS line return parsing error2023-09-30
OSV
CVE-2023-44270: An issue was discovered in PostCSS before 82023-09-29

📋Vendor Advisories

3
Red Hat
PostCSS: Improper input validation in PostCSS2023-09-29
Microsoft
An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts2023-09-12
Debian
CVE-2023-44270: node-postcss - An issue was discovered in PostCSS before 8.4.31. The vulnerability affects lint...2023