Steps to Reproduce
A long-standing vulnerability categorized as problematic/moderate has been discovered in several versions of the Angular library. CVE-2021-4231 is a cross-site scripting (XSS) vulnerability that first appeared in version 6 and went undetected until recently.
The issue is related to how code comments are parsed during server-side rendering (SSR). The parser may prematurely close a comment (see Steps to Reproduce, below) thus exposing the vulnerability. When exploited, a malicious script may be executed thereby potentially leading to unauthorized access to sensitive data or takeover of user sessions.
Although other security advisories recommend upgrading to version 10.2.5 and 11.0.5 to address this issue, the vulnerability is present in version 6, 7, 8 and 9, as well.
Below, a closing comment marker has been added between the double quotation marks as text:
'<!-- The way you close a comment is with "-->". -->'
However, the parser is unable to distinguish that the "-->" is text and not a real closing comment marker. The parser closes the comment prematurely thereby opening up the code to a potential XSS vulnerability. Additional comment closing markers are ' -->' (with an initial space) and '--!>', both of which will also trigger the vulnerability.
Addressing the Issue
The patch adds non-visible spaces '-_-_>' (where the '_' is a zero-width space '\u200B') to closing comment markers within text so that the parser does not identify them as real closing comment markers.
This vulnerability was initially discovered and corrected by Google in Angular v11 and later versions. Research by HeroDevs identified this vulnerability as also affecting earlier versions that were out of LTS and no longer receiving security updates. HeroDevs Angular NES clients were notified of this security patch and received a secure version of Angular 6, 7, 8, 9, and 10. If you haven’t installed the latest version yet or need assistance, please contact our support team for help.
Other Angular users should update immediately and might want to consider obtaining rapid Angular security support from HeroDevs for future vulnerabilities.
Learning and Prevention
CVE-2021-4231 is instructive because it went undetected for many versions before being identified and corrected. Generally, being current with security versions is considered a best practice. In this case, however, because it was a long-standing vulnerability, that would not have been enough. Specifically, just as important in this case is being rapidly notified of the vulnerability and being able to update production code very quickly.
Conclusion
Though older code is often considered especially valuable because it is “battle tested,” it’s still possible to find vulnerabilities that lurk in older versions of venerable software. HeroDevs stays on top of all the vulnerabilities discovered in our Never-Ending Support products ensuring that you are quickly notified when you need to take quick action.
If you are interested in receiving security, compliance, and compatibility support for Angular and supporting libraries, please contact us today.
Stay secure and ensure your systems are updated with the latest patches from HeroDevs. For more insights and security updates, keep following our blog.
Resources
Get alerted whenever a new vulnerability is fixed in the open source software we support.