Summaryinfo

A vulnerability classified as critical has been found in ua-parser-js 0.7.29/0.8.0/1.0.0 on NPM. Affected is an unknown function of the component Crypto Mining. The manipulation leads to backdoor. This vulnerability is traded as CVE-2021-4229. It is possible to launch the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Detailsinfo

A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0 on NPM (NPM Package). It has been rated as critical. This issue affects some unknown functionality of the component Crypto Mining. The manipulation with an unknown input leads to a backdoor vulnerability. Using CWE to declare the problem leads to CWE-912. The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators. Impacted is confidentiality, integrity, and availability.

The weakness was presented 10/27/2021 as GHSA-pjwm-rvh2-c87w. The advisory is shared at github.com. The identification of this vulnerability is CVE-2021-4229. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available. MITRE ATT&CK project uses the attack technique T1588.001 for this issue.

It is declared as proof-of-concept.

Upgrading to version 0.7.30, 0.8.1 or 1.0.1 eliminates this vulnerability.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• NPM Package

Name

• ua-parser-js

Version

• 0.7.29
• 0.8.0
• 1.0.0

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion