Mermaid up to 9.1.2 Background Image injection

Summaryinfo

A vulnerability was found in Mermaid up to 9.1.2. It has been rated as problematic. Affected by this vulnerability is an unknown functionality of the component Background Image Handler. The manipulation leads to injection. This vulnerability is referenced as CVE-2022-31108. Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in Mermaid up to 9.1.2. It has been rated as problematic. This issue affects an unknown function of the component Background Image Handler. The manipulation with an unknown input leads to a injection vulnerability. Using CWE to declare the problem leads to CWE-74. The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. Impacted is confidentiality. The summary by CVE is:

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted `CSS` selectors. The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the `value` attribute one character at a time. Whenever there is an actual match, an `http` request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character. This issue may lead to `Information Disclosure` via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc. This issue has been resolved in version 9.1.3. Users are advised to upgrade. Users unable to upgrade should ensure that user input is adequately escaped before embedding it in CSS blocks.

The weakness was published 06/29/2022 as GHSA-x3vm-38hw-55wf. It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2022-31108 since 05/18/2022. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1055 according to MITRE ATT&CK.

The vulnerability scanner Nessus provides a plugin with the ID 224705 (Linux Distros Unpatched Vulnerability : CVE-2022-31108), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 9.1.3 eliminates this vulnerability. Applying the patch 0ae1bdb61adff1cd485caff8c62ec6b8ac57b225 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Tenable (224705). Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Name

• Mermaid

Version

• 9.1.0
• 9.1.1
• 9.1.2

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion