CVE-2021-42057

Published: Nov 4, 2021Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use cases.

Affected (3)

Products: Obsidian: Obsidian Dataview

1 product

Obsidian Dataview

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Obsidian Obsidian Dataview	Up to 0.4.11
Obsidian Obsidian Dataview	Version 0.4.12
Obsidian Obsidian Dataview	Version 0.4.12 hotfix1

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://github.com/blacksmithgu/obsidian-dataview/issues/615

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://github.com/blacksmithgu/obsidian-dataview/issues/615

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

Timeline

No history available yet.