Lucene search

HackeroneCVE-2017-16058

HistoryJun 07, 2018 - 2:29 a.m.

CVE-2017-16058

2018-06-0702:29:00

CWE-200

CWE-506

hackerone

web.nvd.nist.gov

cve

2017

16058

gruntcli

malicious

module

hijack

environment variables

npm

unpublished

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

53.8%

JSON

gruntcli was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

Affected configurations

Nvd

Node

gruntcli_projectgruntclinode.js

VendorProductVersionCPE
gruntcli_projectgruntcli*cpe:2.3:a:gruntcli_project:gruntcli:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
gruntcli_project	gruntcli	*	cpe:2.3:a:gruntcli_project:gruntcli::::::node.js::*

CNA Affected

[
  {
    "product": "gruntcli node module",
    "vendor": "HackerOne",
    "versions": [
      {
        "status": "affected",
        "version": "All versions"
      }
    ]
  }
]

References

nodesecurity.io/advisories/498

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

53.8%

JSON

Related for CVE-2017-16058