GHSA-f478-xwv9-p93q

Опубликовано: 24 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 7.8

Описание

Duplicate Advisory: Kerberos for NodeJS allows DLL Injection

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-m2mx-rfpw-jghv. This link is maintained to preserve external references.

Original Description

The kerberos package before 1.0.0 for Node.js allows arbitrary code execution and privilege escalation via injection of malicious DLLs through use of the kerberos_sspi LoadLibrary() method, because of a DLL path search.

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2020-13110
https://medium.com/@kiddo_Ha3ker/dll-injection-attack-in-kerberos-npm-package-cb4b32031cd
https://www.npmjs.com/advisories/1514

Пакеты

Наименование

kerberos

npm

Затронутые версииВерсия исправления

< 1.0.0

1.0.0

7.8 High

CVSS3

Дефекты

CWE-427

7.8 High

CVSS3

Дефекты

CWE-427