Lucene search

[email protected]NVD:CVE-2024-21488

HistoryJan 30, 2024 - 5:15 a.m.

CVE-2024-21488

2024-01-3005:15:09

CWE-77

[email protected]

web.nvd.nist.gov

arbitrary command injection

network package vulnerability

input sanitization

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.4%

JSON

Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on.

Affected configurations

NVD

Node

forkhqnetworkRange<0.7.0node.js

References

gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c

github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7

github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7

github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5

security.snyk.io/vuln/SNYK-JS-NETWORK-6184371

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.4%

JSON

Related for NVD:CVE-2024-21488

prion1 osv2 github1 cve1 cvelist1 veracode1