GHSA-w725-67p7-xv22

Опубликовано: 03 сент. 2020

Источник: github

Github: Прошло ревью

Описание

Command Injection in local-devices

Versions of local-devices prior to 3.0.0 are vulnerable to Command Injection. The package does not validate input on ip addresses and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system.

Recommendation

Upgrade to version 3.0.0 or later.

Ссылки

https://github.com/DylanPiercey/local-devices/pull/16
https://github.com/DylanPiercey/local-devices/commit/57b9a933c9d23d34bd5a055536db824de66db553
https://www.npmjs.com/advisories/1020

Пакеты

Наименование

local-devices

npm

Затронутые версииВерсия исправления

< 3.0.0

3.0.0

Дефекты

CWE-77

Дефекты

CWE-77