Miggo Logo

CVE-2021-20066: Withdrawn Advisory: Insufficient Granularity of Access Control in JSDom

N/A

CVSS Score
3.1

Basic Information

EPSS Score
0.60203%
Published
5/24/2022
Updated
7/19/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
jsdomnpm<= 16.4.016.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from JSDom's resource loading mechanism when configured with {resources: "usable"}. The stack trace in Tenable's example shows resource-queue.js and per-document-resource-loader.js are directly involved in processing file:// requests. These functions handle resource loading at the implementation level but lack granular access control to block local resources despite being in a security-sensitive context. The maintainers' own dispute confirms the explicit opt-in nature of this behavior, which matches the described vulnerability pattern of insufficient access control granularity.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# Wit**r*wn **visory T*is **visory **s ***n wit**r*wn ****us* t** us*r must *on*i*ur* js*om to *llow ****ss to lo**l *il*s. # Ori*in*l **s*ription JS*om improp*rly *llows t** lo**in* o* lo**l r*sour**s, w*i** *llows *or lo**l *il*s to ** m*nipul*t

Reasoning

T** vuln*r**ility st*ms *rom JS*om's r*sour** lo**in* m****nism w**n *on*i*ur** wit* {r*sour**s: "us**l*"}. T** st**k tr*** in T*n**l*'s *x*mpl* s*ows r*sour**-qu*u*.js *n* p*r-*o*um*nt-r*sour**-lo***r.js *r* *ir**tly involv** in pro**ssin* *il*:// r