Описание
DLL Injection in kerberos
Version of kerberos prior to 1.0.0 are vulnerable to DLL Injection. The package loads DLLs without specifying a full path. This may allow attackers to create a file with the same name in a folder that precedes the intended file in the DLL path search. Doing so would allow attackers to execute arbitrary code in the machine.
Recommendation
Upgrade to version 1.0.0 or later.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-13110
- https://medium.com/@kiddo_Ha3ker/dll-injection-attack-in-kerberos-npm-package-cb4b32031cd
- https://www.linkedin.com/posts/op-innovate_dll-injection-attack-in-kerberos-npm-package-activity-6667043749547253760-kVlW
- https://www.npmjs.com/advisories/1514
- https://www.op-c.net/2020/05/15/dll-injection-attack-in-kerberos-npm-package
Пакеты
Наименование
kerberos
npm
Затронутые версииВерсия исправления
< 1.0.0
1.0.0
Связанные уязвимости
CVSS3: 7.8
nvd
больше 5 лет назад
The kerberos package before 1.0.0 for Node.js allows arbitrary code execution and privilege escalation via injection of malicious DLLs through use of the kerberos_sspi LoadLibrary() method, because of a DLL path search.