OS Command Injection

npm-lockfile is vulnerable to OS command injection. An attacker is able to inject malicious OS command to invoke sensitive command execution API...

CVE-2022-0841

A flaw was found in npm-lockfile, where npm-lockfile v2 did not sanitize the only parameter before invoking sensitive command execution API with the input. This issue leads to a command injection vulnerability...

OS Command injection in npm-lockfile

npm-lockfile safely generates an npm lockfile and output it to the filename of your choice. npm-lockfile before 2.0.4 does not santize unsafe external input and invoke sensitive command execution API with the input, causing command injection vulnerability. A fix was released in version 2.0.5...

GHSA-CR6M-62PQ-HMQH OS Command injection in npm-lockfile

npm-lockfile safely generates an npm lockfile and output it to the filename of your choice. npm-lockfile before 2.0.4 does not santize unsafe external input and invoke sensitive command execution API with the input, causing command injection vulnerability. A fix was released in version 2.0.5...

CVE-2022-0841

OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4...

CVE-2022-0841

OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4...

Command injection

OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4...

CVE-2022-0841

CVE-2022-0841 concerns OS command injection in ljharb/npm-lockfile (GitHub: npm-lockfile) for versions 2.0.3 and 2.0.4. The Red Hat entry notes a flaw where npm-lockfile v2 did not sanitize the only parameter before invoking a sensitive command execution API, enabling command injection. Other sou...

CVE-2022-0841 OS Command Injection in ljharb/npm-lockfile

OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4...

CVE-2022-0841 OS Command Injection in ljharb/npm-lockfile

OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4...

npm-lockfile 操作系统命令注入漏洞

npm-lockfile is an open source tool. It can securely generate npm lockfiles and output them to a filename of your choice. A security vulnerability exists in versions prior to npm-lockfile v2.0.5, which can be exploited by attackers to perform OS command injection...

OS Command Injection

Description npm-lockfile before 2.0.4 does not santize unsafe external input and invoke sensitive command execution API with the input, causing command injection vulnerability. Proof of Concept // npm i [email protected] const getLockfile = require'npm-lockfile/getLockfile';...

npm CLI 数据伪造问题漏洞

npm CLI is a package manager from the US-based npm. engine is an OpenSSL reference implementation of the GOST encryption algorithm. The npm CLI suffers from a data forgery issue vulnerability that stems from the npm ci command in the software. Even if the dependency information in package-lock.js...

Security News: Exchange ProxyShell, Zoom RCE, Citrix Canceled PT Acknowledgments, Cisco No Patch Router RCEs

Hello everyone! This is a new episode with my comments on the latest Information Security news. Exchange ProxyShell I want to start with something about attacks on Exchange. ProxyShell is in the news, the LockFile ransomware compromised more than 2000 servers. On the other hand, there is basicall...

LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection

Researchers discovered a novel ransomware emerging on the heels of the ProxyShell vulnerabilities discovery in Microsoft Exchange servers. The threat, dubbed LockFile, uses a unique “intermittent encryption” method as a way to evade detection as well as adopting tactics from previous ransomware...

LockFile Ransomware Bypasses Protection Using Intermittent File Encryption

A new ransomware family that emerged last month comes with its own bag of tricks to bypass ransomware protection by leveraging a novel technique called "intermittent encryption." Called LockFile, the operators of the ransomware have been found exploiting recently disclosed flaws such as ProxyShel...

ProxyShell and PetitPotam exploits weaponized by LockFile Ransomware Group

THREAT LEVEL: Red. For a detailed advisory, download the pdf file here. LockFile, a new ransomware gang, has been active since last week. LockFile began by using a publicly disclosed PetitPotam exploit CVE-2021-36942 to compromise Windows Domain Controllers earlier this week. Using ProxyShell...

ProxyShell Attacks Pummel Unpatched Exchange Servers

Over the weekend, the Cybersecurity & Infrastructure Security Agency CISA issued an urgent alert that attackers are actively attacking ProxyShell vulnerabilities in unpatched Microsoft Exchange Servers, joining researchers in urging organizations to immediately install the latest Microsoft Securi...

Unsafe Dependency Resolution

Overview Affected versions of this package are vulnerable to Unsafe Dependency Resolution. An issue exist in bundler regarding the priority for transitive dependencies and split lockfile rubygems source sections. This could lead to a dependency confusion attack where gems are resolved incorrectly...

GHSA-WQFC-CR59-H64P Missing Encryption of Sensitive Data in yarn

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network...