GHSA-9hqj-38j2-5jgm

Опубликовано: 01 сент. 2020

Источник: github

Github: Прошло ревью

Описание

Command Injection in ascii-art

Versions of ascii-art before 1.4.4 are vulnerable to command injection. This is exploitable when user input is passed into the argument of the ascii-art preview command.

Example Proof of concept: ascii-art preview 'doom"; touch /tmp/malicious; echo "'

Given that the input is passed on the command line and none of the api methods are vulnerable to this, the likely exploitation vector is when the ascii-art comment is being called programmatically using something like execFile.

Recommendation

Update to version 1.4.4 or later.

Ссылки

https://hackerone.com/reports/390631
https://github.com/nodejs/security-wg/blob/master/vuln/npm/471.json
https://www.npmjs.com/advisories/727

Пакеты

Наименование

ascii-art

npm

Затронутые версииВерсия исправления

<= 1.4.2

1.4.4

Дефекты

CWE-77

Дефекты

CWE-77