Command Injection

2019-06-19T02:49:26
ID NODEJS:998
Type nodejs
Reporter Caio Lüders
Modified 2019-07-16T21:58:26

Description

Overview

Versions of entitlements prior to 1.3.0 are vulnerable to Command Injection. The package does not validate input on the entitlements function and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system.

Recommendation

Upgrade to version 1.3.0 or later.

References