Lucene search

[email protected]NVD:CVE-2019-19609

HistoryDec 05, 2019 - 8:15 p.m.

CVE-2019-19609

2019-12-0520:15:10

CWE-78

[email protected]

web.nvd.nist.gov

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.093 Low

EPSS

Percentile

94.7%

JSON

The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.

Affected configurations

NVD

Node

strapistrapiRange≤1.6.4

strapistrapiMatch3.0.0alpha10.1

strapistrapiMatch3.0.0alpha10.2

strapistrapiMatch3.0.0alpha10.3

strapistrapiMatch3.0.0alpha11

strapistrapiMatch3.0.0alpha11.1

strapistrapiMatch3.0.0alpha11.2

strapistrapiMatch3.0.0alpha11.3

strapistrapiMatch3.0.0alpha12

strapistrapiMatch3.0.0alpha12.1

strapistrapiMatch3.0.0alpha12.1.3

strapistrapiMatch3.0.0alpha12.2

strapistrapiMatch3.0.0alpha12.3

strapistrapiMatch3.0.0alpha12.4

strapistrapiMatch3.0.0alpha12.5

strapistrapiMatch3.0.0alpha12.6

strapistrapiMatch3.0.0alpha12.7

strapistrapiMatch3.0.0alpha12.7.1

strapistrapiMatch3.0.0alpha13

strapistrapiMatch3.0.0alpha13.0.1

strapistrapiMatch3.0.0alpha13.1

strapistrapiMatch3.0.0alpha14

strapistrapiMatch3.0.0alpha14.1

strapistrapiMatch3.0.0alpha14.1.1

strapistrapiMatch3.0.0alpha14.2

strapistrapiMatch3.0.0alpha14.3

strapistrapiMatch3.0.0alpha14.4.0

strapistrapiMatch3.0.0alpha14.5

strapistrapiMatch3.0.0alpha15

strapistrapiMatch3.0.0alpha16

strapistrapiMatch3.0.0alpha17

strapistrapiMatch3.0.0alpha18

strapistrapiMatch3.0.0alpha19

strapistrapiMatch3.0.0alpha20

strapistrapiMatch3.0.0alpha21

strapistrapiMatch3.0.0alpha22

strapistrapiMatch3.0.0alpha23

strapistrapiMatch3.0.0alpha23.1

strapistrapiMatch3.0.0alpha24

strapistrapiMatch3.0.0alpha24.1

strapistrapiMatch3.0.0alpha25

strapistrapiMatch3.0.0alpha25.1

strapistrapiMatch3.0.0alpha25.2

strapistrapiMatch3.0.0alpha26

strapistrapiMatch3.0.0alpha26.1

strapistrapiMatch3.0.0alpha26.2

strapistrapiMatch3.0.0alpha4

strapistrapiMatch3.0.0alpha4.8

strapistrapiMatch3.0.0alpha5.3

strapistrapiMatch3.0.0alpha5.5

strapistrapiMatch3.0.0alpha6.3

strapistrapiMatch3.0.0alpha6.4

strapistrapiMatch3.0.0alpha6.7

strapistrapiMatch3.0.0alpha7.2

strapistrapiMatch3.0.0alpha7.3

strapistrapiMatch3.0.0alpha8

strapistrapiMatch3.0.0alpha8.3

strapistrapiMatch3.0.0alpha9

strapistrapiMatch3.0.0alpha9.1

strapistrapiMatch3.0.0alpha9.2

strapistrapiMatch3.0.0beta0

strapistrapiMatch3.0.0beta1

strapistrapiMatch3.0.0beta10

strapistrapiMatch3.0.0beta11

strapistrapiMatch3.0.0beta12

strapistrapiMatch3.0.0beta13

strapistrapiMatch3.0.0beta14

strapistrapiMatch3.0.0beta15

strapistrapiMatch3.0.0beta16

strapistrapiMatch3.0.0beta16.1

strapistrapiMatch3.0.0beta16.2

strapistrapiMatch3.0.0beta16.3

strapistrapiMatch3.0.0beta16.4

strapistrapiMatch3.0.0beta16.5

strapistrapiMatch3.0.0beta16.6

strapistrapiMatch3.0.0beta16.7

strapistrapiMatch3.0.0beta16.8

strapistrapiMatch3.0.0beta17

strapistrapiMatch3.0.0beta17.1

strapistrapiMatch3.0.0beta17.2

strapistrapiMatch3.0.0beta17.3

strapistrapiMatch3.0.0beta17.4

strapistrapiMatch3.0.0beta17.5

strapistrapiMatch3.0.0beta17.6

strapistrapiMatch3.0.0beta17.7

strapistrapiMatch3.0.0beta2

strapistrapiMatch3.0.0beta3

strapistrapiMatch3.0.0beta4

strapistrapiMatch3.0.0beta5

strapistrapiMatch3.0.0beta6

strapistrapiMatch3.0.0beta7

strapistrapiMatch3.0.0beta8

strapistrapiMatch3.0.0beta9

References

packetstormsecurity.com/files/163940/Strapi-3.0.0-beta.17.7-Remote-Code-Execution.html

packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html

bittherapy.net/post/strapi-framework-remote-code-execution/

github.com/strapi/strapi/pull/4636

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.093 Low

EPSS

Percentile

94.7%

JSON

Related for NVD:CVE-2019-19609

githubexploit4 checkpoint_advisories1 packetstorm2 prion1 veracode1 github1 osv2 zdt2 cvelist1 cve1 exploitdb2