Опубликовано: 05 июл. 2024
Источник: github
Github: Прошло ревью
CVSS4: 8.7
CVSS3: 9.9
Описание
rejetto HFS vulnerable to OS Command Execution by remote authenticated users
rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).
Пакеты
Наименование
hfs
npm
Затронутые версииВерсия исправления
< 0.52.10
0.52.10
EPSS
Процентиль: 99%
0.78344
Высокий
8.7 High
CVSS4
9.9 Critical
CVSS3
CVE ID
Дефекты
CWE-284
CWE-78
Связанные уязвимости
CVSS3: 9.9
nvd
больше 1 года назад
rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).
EPSS
Процентиль: 99%
0.78344
Высокий
8.7 High
CVSS4
9.9 Critical
CVSS3
CVE ID
Дефекты
CWE-284
CWE-78