Lucene search

GitHub Advisory DatabaseGHSA-69F2-4375-QV9H

HistoryJan 26, 2023 - 9:30 p.m.

Command injection in smartctl

2023-01-2621:30:27

CWE-77

GitHub Advisory Database

github.com

smartctl

command injection

input sanitization

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

28.6%

JSON

All versions of the package smartctl are vulnerable to Command Injection via the info method due to improper input sanitization.

Affected configurations

Vulners

Node

smartctl_projectsmartctlRange≤1.0.0

VendorProductVersionCPE
smartctl_projectsmartctl*cpe:2.3:a:smartctl_project:smartctl:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
smartctl_project	smartctl	*	cpe:2.3:a:smartctl_project:smartctl::::::::

References

github.com/advisories/GHSA-69f2-4375-qv9h

github.com/baslr/node-smartctl/blob/f61266084d5b3e4baae9bd85f67ec4ec6a716736/index.js#23L18

github.com/baslr/node-smartctl/blob/f61266084d5b3e4baae9bd85f67ec4ec6a716736/index.js%23L18

nvd.nist.gov/vuln/detail/CVE-2022-21810

security.snyk.io/vuln/SNYK-JS-SMARTCTL-3175613

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

28.6%

JSON

Related for GHSA-69F2-4375-QV9H