漏洞标题
N/A
漏洞描述信息
MIT 长期 kindergarten Scratch Scratch-vm 在 0.2.0-prerelease.20200714185213 之前加载了某些 _ 字符的不信任项目.json 文件,导致远程代码执行,因为 URL 的内容被处理为脚本,并作为 workers 执行。负责代码是serialization/sb3.js 中的 getExtensionIdForOpcode。使用 _ 与较早版本的保护机制不兼容,在较早的版本中,URL 被拆分,从而防止了 deserialization 攻击。注意:由于缺少 worker 脚本,Scratch.mit.edu 托管服务未受影响。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain _ characters, resulting in remote code execution because the URL's content is treated as a script and is executed as a worker. The responsible code is getExtensionIdForOpcode in serialization/sb3.js. The use of _ is incompatible with a protection mechanism in older versions, in which URLs were split and consequently deserialization attacks were prevented. NOTE: the scratch.mit.edu hosted service is not affected because of the lack of worker scripts.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
MIT Lifelong Kindergarten Scratch scratch-vm 代码问题漏洞
漏洞描述信息
MIT Lifelong Kindergarten Scratch scratch-vm是美国麻省理工学院(MIT)的一款基于块的视觉编程语言。 MIT Lifelong Kindergarten Scratch scratch-vm 0.2.0-prerelease.20200714185213之前版本中存在安全漏洞。攻击者可利用该漏洞执行代码。
CVSS信息
N/A
漏洞类别
代码问题