Lucene search

GoogleOSV:CVE-2024-21488

HistoryJan 30, 2024 - 5:15 a.m.

CVE-2024-21488

2024-01-3005:15:09

Google

osv.dev

arbitrary command injection

child process exec

input sanitization

attacker-controlled user input

operating system

software

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

29.6%

JSON

Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on.

CPENameOperatorVersion
networkeq0.0.12
networkeq0.6.1
networkeq0.3.0
networkeq0.5.0

Name	Operator	Version
network	eq	0.0.12
network	eq	0.6.1
network	eq	0.3.0
network	eq	0.5.0

References

gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c

github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7

github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7

github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5

security.snyk.io/vuln/SNYK-JS-NETWORK-6184371

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

29.6%

JSON

Related for OSV:CVE-2024-21488