CVE-2019-10842
CRITICALbootstrap-sass 3.2.0.3 - Unauthenticated Remote Code Execution via ___cfduid Cookie
Title source: llmDescription
Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute arbitrary code on the target system. Note that there are three underscore characters in the cookie name. This is unrelated to the __cfduid cookie that is legitimately used by Cloudflare.
References (4)
Core 4
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/twbs/bootstrap-sass/issues/1195
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-RUBY-BOOTSTRAPSASS-174093
Third Party Advisory x_refsource_misc
http://dgb.github.io/2019/04/05/bootstrap-sass-backdoor.html
Scores
CVSS v3
9.8
EPSS
0.0890
EPSS Percentile
92.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (2)
getbootstrap/bootstrap-sass
3.2.0.3
rubygems/bootstrap-sass
3.2.0.3 - 3.2.0.4RubyGems
Published
Apr 04, 2019
Tracked Since
Feb 18, 2026