CVE-2022-21191

2023-01-1305:15:19

CWE-78

[email protected]

web.nvd.nist.gov

cve-2022-21191

package global-modules-path

command injection

vulnerability

nvd

input sanitization

sandbox

getpath function

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.8%

JSON

Versions of the package global-modules-path before 3.0.0 are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the getPath function.

Affected configurations

NVD

Node

global-modules-path_projectglobal-modules-pathRange<3.0.0

CPENameOperatorVersion
global-modules-path_project:global-modules-pathglobal-modules-path project global-modules-pathlt3.0.0

CPE	Name	Operator	Version
global-modules-path_project:global-modules-path	global-modules-path project global-modules-path	lt	3.0.0

CNA Affected

[
  {
    "product": "global-modules-path",
    "versions": [
      {
        "version": "0",
        "lessThan": "3.0.0",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]