CVE-2020-13110

Опубликовано: 16 мая 2020

Источник: nvd

CVSS3: 7.8

CVSS2: 6.9

EPSS Низкий

Описание

The kerberos package before 1.0.0 for Node.js allows arbitrary code execution and privilege escalation via injection of malicious DLLs through use of the kerberos_sspi LoadLibrary() method, because of a DLL path search.

Ссылки

https://medium.com/%40kiddo_Ha3ker/dll-injection-attack-in-kerberos-npm-package-cb4b32031cd
https://www.linkedin.com/posts/op-innovate_dll-injection-attack-in-kerberos-npm-package-activity-6667043749547253760-kVlW
Third Party Advisory
https://www.npmjs.com/advisories/1514
Third Party Advisory
https://www.op-c.net/2020/05/15/dll-injection-attack-in-kerberos-npm-package/
Exploit
Mitigation
Third Party Advisory
https://medium.com/%40kiddo_Ha3ker/dll-injection-attack-in-kerberos-npm-package-cb4b32031cd
https://www.linkedin.com/posts/op-innovate_dll-injection-attack-in-kerberos-npm-package-activity-6667043749547253760-kVlW
Third Party Advisory
https://www.npmjs.com/advisories/1514
Third Party Advisory
https://www.op-c.net/2020/05/15/dll-injection-attack-in-kerberos-npm-package/
Exploit
Mitigation
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:kerberos_project:kerberos:*:*:*:*:*:node.js:*:*

Версия до 1.0.0 (исключая)

EPSS

Процентиль: 21%

0.00068

Низкий

7.8 High

CVSS3

6.9 Medium

CVSS2

Дефекты

CWE-427

Связанные уязвимости

GHSA-m2mx-rfpw-jghv