Lucene search
231tr0n001D1C29-805A-4035-93BB-71A0E81DA3E5HistoryFeb 17, 2022 - 3:58 p.m.
Arbitrary Command Injection
2022-02-1715:58:55
231tr0n
www.huntr.dev
8
0.001 Low
EPSS
Percentile
47.5%
Description
When creating a strapi app using npxcreate-strapi-app, we can inject arbitrary commands through the template cli argument as per the code in this particular link (https://github.com/strapi/strapi/blob/master/packages/generators/app/lib/utils/fetch-npm-template.js#L13), this happens due to improper sanitization of user input.
Steps to Reproduce the POC
1) npx create-strapi-app my-project --quickstart --template ";touch poc.txt;"
2) Perform "ls" command and you will see that a file called "poc.txt" was created in the current directory.
Impact
An attacker can execute arbitrary os commands which can help him perform local privilege escalation to gain root access if strapi package can be run as sudo.
PoC (Proof)
Fix / Solution
Sanitize the input of template parameter before introducing it to the execution context.
Regards,
R.Srikar ([email protected]) & Abhishek S([email protected])
References
Related
osv
osv
CVE-2022-0764
2022-02-26 15:15:07
Command injection in strapi
2022-02-27 00:00:15
cve
cve
CVE-2022-0764
2022-02-26 15:15:07
cnvd
cnvd
strapi OS command injection vulnerability
2022-03-01 00:00:00
prion
prion
Command injection
2022-02-26 15:15:00
nvd
nvd
CVE-2022-0764
2022-02-26 15:15:07
github
github
Command injection in strapi
2022-02-27 00:00:15
veracode
veracode
Remote Code Execution (RCE)
2022-02-28 07:12:12
cvelist
cvelist
CVE-2022-0764 Arbitrary Command Injection in strapi/strapi
2022-02-26 14:55:09