CVE-2021-42057: Improper Control of Generation of Code ('Code Injection')

November 4, 2021 (updated November 8, 2021)

Obsidian Dataview allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: provides a mitigation for some use cases.

References

github.com/blacksmithgu/obsidian-dataview/issues/615
nvd.nist.gov/vuln/detail/CVE-2021-42057

Detect and mitigate CVE-2021-42057 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →