Remote Code Execution Vulnerability in MIT Lifelong Kindergarten Scratch VM
CVE-2020-14000

9.8CRITICAL

Key Information:

Vendor: Mit
Status: Scratch-vm
Vendor: CVE Published:; 16 July 2020

What is CVE-2020-14000?

The Scratch VM, developed by MIT Lifelong Kindergarten, is vulnerable to remote code execution due to its handling of untrusted project.json files. Specifically, versions prior to 0.2.0-prerelease.20200714185213 allow for malicious URLs to load scripts that get executed in the context of a worker. This flaw arises because the presence of certain characters, such as '_', bypasses a protection mechanism that would typically prevent deserialization attacks. As a result, attackers can inject code through crafted project.json files, posing a serious threat to user security. However, the hosted service at scratch.mit.edu is not impacted due to the absence of worker scripts.

References

https://github.com/LLK/scratch-vm/pull/2476

x_refsource_CONFIRM

https://scratch.mit.edu/discuss/topic/422904/?page=1#post...

x_refsource_CONFIRM

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 16, 2020
Vulnerability Reserved
Jun 10, 2020

CVE-2020-14000 Data

JSON

Mit

What is CVE-2020-14000?

References

EPSS Score

CVSS V3.1

Timeline