CVE-2021-42057 in Obsidian Dataview
Summary
by MITRE • 11/05/2021
Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use cases.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/09/2021
The CVE-2021-42057 vulnerability represents a critical code injection flaw in Obsidian Dataview plugin versions up to 0.4.12-hotfix1. This vulnerability stems from the improper handling of user input within the evalInContext function, which directly executes arbitrary code without adequate sanitization or validation. The flaw exists in the core processing logic of the Dataview plugin, making it particularly dangerous as it can be exploited through seemingly benign Markdown files that contain malicious payloads.
The technical implementation of this vulnerability leverages the eval function in JavaScript, which is inherently dangerous when processing untrusted input. When users open Markdown files containing crafted malicious code, the evalInContext function processes this input and executes it as JavaScript code within the Obsidian application context. This creates a remote code execution vector that allows attackers to execute arbitrary commands on the victim's system with the privileges of the Obsidian application. The vulnerability is classified under CWE-94 as "Improper Control of Generation of Code ('Code Injection')" and aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: JavaScript."
The operational impact of this vulnerability is severe as it enables attackers to compromise user systems through social engineering attacks targeting Markdown files. Attackers can craft malicious documents that appear legitimate but contain hidden code execution payloads. Once opened, these files can download and execute additional malware, steal sensitive information, or establish persistence mechanisms. The vulnerability affects all users running affected versions of Obsidian Dataview, making it a widespread concern for anyone using the plugin for data visualization or note-taking.
The mitigation strategy involves upgrading to Obsidian Dataview version 0.4.13 or later, which provides specific protections against certain exploitation scenarios. However, users should also implement additional security measures such as validating all Markdown files from untrusted sources before opening them, disabling the Dataview plugin when not actively needed, and maintaining regular backups of important data. Organizations should consider implementing network-level protections and monitoring for suspicious file access patterns to detect potential exploitation attempts. The vulnerability demonstrates the critical importance of input validation and the dangerous nature of dynamic code execution in security-sensitive applications, particularly in productivity tools that process user-generated content.