SCA: security update for less-openui5 (GHSA-3crj-w4f5-gwh4)

high Tenable Self-Hosted Container Security Plugin ID 409463

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- less-openui5 is an npm package which enables building OpenUI5 themes with Less.js. In less-openui5 before
version 0.10., when processing theming resources (i.e. `*.less` files) with less-openui5 that originate
from an untrusted source, those resources might contain JavaScript code which will be executed in the
context of the build process. While this is a feature of the Less.js library it is an unexpected behavior
in the context of OpenUI5 and SAPUI5 development. Especially in the context of UI5 Tooling which relies on
less-openui5. An attacker might create a library or theme-library containing a custom control or theme,
hiding malicious JavaScript code in one of the .less files. Refer to the referenced GHSA-3crj-w4f5-gwh4
for examples. Starting with Less.js version 3.0.0, the Inline JavaScript feature is disabled by default.
less-openui5 however currently uses a fork of Less.js v1.6.3. Note that disabling the Inline JavaScript
feature in Less.js versions 1.x, still evaluates code has additional double codes around it. We decided to
remove the inline JavaScript evaluation feature completely from the code of our Less.js fork. This fix is
available in less-openui5 version 0.10.0. (CVE-2021-21316)

See Also

https://github.com/advisories/GHSA-3crj-w4f5-gwh4

Plugin Details

Severity: High

ID: 409463

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-21316

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/29/2021

Vulnerability Publication Date: 1/29/2021

Reference Information

CVE: CVE-2021-21316

cwe: CWE-74