Lucene search

GitHub Advisory DatabaseGHSA-WJR4-2JGW-HMV8

HistoryJul 31, 2018 - 6:28 p.m.

Command Injection in whereis

2018-07-3118:28:53

CWE-77

GitHub Advisory Database

github.com

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

69.2%

JSON

Versions of whereis before 0.4.1 are vulnerable to command injection if untrusted user input is passed into whereis.

Recommendation

Update to version 0.4.1 or later.

Affected configurations

Vulners

Node

whereis_projectwhereisRange<0.4.1node.js

CPENameOperatorVersion
whereislt0.4.1

CPE	Name	Operator	Version
	whereis	lt	0.4.1

References

github.com/advisories/GHSA-wjr4-2jgw-hmv8

github.com/vvo/node-whereis/commit/0f64e3780235004fb6e43bfd153ea3e0e210ee2b

hackerone.com/reports/319476

nvd.nist.gov/vuln/detail/CVE-2018-3772

www.npmjs.com/advisories/604

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

69.2%

JSON

Related for GHSA-WJR4-2JGW-HMV8