Lucene search

GitHub Advisory DatabaseGHSA-VVH2-82C7-PPFG

HistoryJan 30, 2024 - 6:30 a.m.

network Arbitrary Command Injection vulnerability

2024-01-3006:30:23

CWE-77

GitHub Advisory Database

github.com

vulnerability

package

network

command execution

input sanitization

mac address

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.4%

JSON

Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.

Affected configurations

Vulners

Node

networkRange<0.7.0

CPENameOperatorVersion
networklt0.7.0

CPE	Name	Operator	Version
	network	lt	0.7.0

References

gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c

github.com/advisories/GHSA-vvh2-82c7-ppfg

github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7

github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7

github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5

nvd.nist.gov/vuln/detail/CVE-2024-21488

security.snyk.io/vuln/SNYK-JS-NETWORK-6184371

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.4%

JSON

Related for GHSA-VVH2-82C7-PPFG