Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CALPTtNVfowfZmQxBUjhGvC8b7quqnXLWQZL=2xBO7uD-MGvewg@mail.gmail.com>
Date: Wed, 20 Jan 2016 12:05:02 -0800
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com, 
	Assign a CVE Identifier <cve-assign@...re.org>
Cc: report@...esecurity.io
Subject: CVE request: Two vulnerabilities in mapbox.js node module

Noticed these via the Node Security Project.

mapbox.js is "Mapbox JavaScript API, a Leaflet Plugin".
http://mapbox.com/mapbox.js/

Homepage: https://github.com/mapbox/mapbox.js

Download: https://www.npmjs.com/package/mapbox.js

* Content Injection via TileJSON attribute

  https://nodesecurity.io/advisories/49

  Overview:

  Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable
  to a cross-site-scripting attack in certain uncommon usage scenarios.

  If you use L.mapbox.map or L.mapbox.tileLayer to load untrusted TileJSON
  content from a non-Mapbox URL, it is possible for a malicious user with
  control over the TileJSON content to inject script content into the
  "attribution" value of the TileJSON which will be executed in the context of
  the page using Mapbox.js.

  Such usage is uncommon. The following usage scenarios are not vulnerable:

  * only trusted TileJSON content is loaded
  * TileJSON content comes only from mapbox.com URLs
  * a Mapbox map ID is supplied, rather than a TileJSON URL

  Remediation:

  Upgrade to Mapbox.js version 2.1.7. If you are still using a 1.x version and
  unable to upgrade to 2.1.7, upgrade to 1.6.5.

  Credit: John Firebaugh


* Content Injection via TileJSON Name

  https://nodesecurity.io/advisories/74

  Overview:

  Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable
  to a cross-site-scripting attack in certain uncommon usage scenarios.

  If you use L.mapbox.map and L.mapbox.shareControl it is possible for a
  malicious user with control over the TileJSON content to inject script
  content into the name value of the TileJSON. After clicking on the share
  control, the malicious code will execute in the context of the page using
  Mapbox.js.

  Such usage is uncommon. L.mapbox.shareControl is not automatically added to
  mapbox.js maps and must be explicitly added. The following usage scenarios
  are not vulnerable:

  * the map does not use a share control (L.mapbox.sharecontrol)
  * only trusted TileJSON content is loaded

  Remediation:

  Upgrade to Mapbox.js version 2.2.4. If you are still using a 1.x version and
  unable to upgrade to 2.2.4, upgrade to 1.6.6.

  If you are unable to upgrade to either 2.2.4 or 1.6.6, you can also remove
  instances of L.mapbox.shareControl from your maps.

  Credit: Alexandra Ulsh


The advisories state that a CVE has been requested, but I haven't seen any
assignments yet. Please assign CVEs as appropriate.

Thanks,
~reed

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.