QwikSec

Security Database

CVE

CWE

Training

CVE-2024-30250

Published: Apr 4, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Astro-Shield is an integration to enhance website security with SubResource Integrity hashes, Content-Security-Policy headers, and other techniques. Versions from 1.2.0 to 1.3.1 of Astro-Shield allow bypass to the allow-lists for cross-origin resources by introducing valid `integrity` attributes to the injected code. This implies that the injected SRI hash would be added to the generated CSP header, which would lead the browser to believe that the injected resource is legit. This vulnerability is patched in version 1.3.2.

Vendor	Product	Versions
kindspells	astro-shield	affected `>= 1.2.0, < 1.3.2`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/kindspells/astro-shield/security/advisories/GHSA-c4gr-q97g-ppwc

x_refsource_CONFIRM

https://github.com/kindspells/astro-shield/commit/1221019306f501bf5fa9bcfb5a23a2321d34ba0a

x_refsource_MISC

https://github.com/kindspells/astro-shield/commit/5ae8b8ef4f681d3a81431ee7e79d5dec545c6e1f

x_refsource_MISC

https://github.com/kindspells/astro-shield/releases/tag/1.3.2

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.