Lucene search

GoogleOSV:GHSA-95RP-6GQP-6622

HistoryAug 30, 2023 - 8:08 p.m.

Command Injection Vulnerability in find-exec

2023-08-3020:08:58

Google

osv.dev

command injection

find-exec

vulnerability

attacker-controlled parameter

malicious commands

security issue

package vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

47.6%

JSON

Older versions of the package are vulnerable to Command Injection as an attacker controlled parameter. As a result, attackers may run malicious commands.

For example:

const find = require("find-exec");
find("mplayer; touch hacked")

This creates a file named “hacked” on the filesystem.

You should never allow users to control commands to find, since this package attempts to run every command provided.

Thanks to @miguelafmonteiro for reporting.

References

github.com/shime/find-exec

github.com/shime/find-exec/commit/74fb108097c229b03d6dba4cce81e36aa364b51c

github.com/shime/find-exec/security/advisories/GHSA-95rp-6gqp-6622

nvd.nist.gov/vuln/detail/CVE-2023-40582

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

47.6%

JSON

Related for OSV:GHSA-95RP-6GQP-6622