RCE vulnerability in angular 1.5.5 (virtualan-plugin)

[4ndris]

Security analysis of the current virtualan-plugin detects a vulnerability in the third party js library angular 1.5.5.
Nexus IQ identifies the threat with high-severity.

Issue
sonatype-2016-0064
Severity
Sonatype CVSS 38.5
CVE CVSS 2.00.0
Weakness
Sonatype CWE79

Explanation
The AngularJS framework is vulnerable to Remote Code Execution (RCE) and Cross-Site Scripting (XSS). The ensureSafeAssignContext() function in parse.js processes malicious expressions that access the constructors. A remote attacker can exploit this vulnerability by crafting malicious expressions that, when processed, result in execution of arbitrary code.

@elans3
Could you please review this? Thanks

[4ndris]

@elans3
Let me know if I can share any other detail that could help

[elans3]

Identified the issue and will be working addressing the issue.

@4ndris Working on the fix will be released by next week.

[elans3]

@4ndris this issue fixed in September release and version 2.5.3. Please confirm the same.

[4ndris]

@elans3 I see version 2.5.3 still suffer from CVE-2022-42003
Beyond:

• AngularJS - Remote Code Execution (RCE) and Cross-Site Scripting (XSS) : https://jsfiddle.net/ianhickey/5sb665we/
• CVE-2021-23358 (underscore js, The underscore package is vulnerable to Code Injection.)

[elans3]

@4ndris
I will start looking at the issue.
Can you share which security product that should i scan before I release?

[4ndris]

Hi @elans3 , do you have any update regarding this? Nexus-IQ you can use to reproduce
Maybe any plan to replace this old version of angular?

[elans3]

Thanks @4ndris . Working and Keep you updated. Will remove older version of Angular as well.

[elans3]

I'm thrilled to announce that version 3.1.0 of the Virtualan plugin with Reactjs has been released, @4ndris. I took the liberty of removing the outdated AngularJS code. So, let's get excited and start using the latest and greatest version of the plugin!"

Thanks for the patience