Описание
Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on.
Ссылки
- ExploitMitigationThird Party Advisory
- Patch
- Patch
- Patch
- ExploitThird Party Advisory
- ExploitMitigationThird Party Advisory
- Patch
- Patch
- Patch
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.7.0 (исключая)
cpe:2.3:a:forkhq:network:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 82%
0.01689
Низкий
7.3 High
CVSS3
9.8 Critical
CVSS3
Дефекты
CWE-77
CWE-77
Связанные уязвимости
CVSS3: 7.3
github
около 2 лет назад
network Arbitrary Command Injection vulnerability
CVSS3: 7.3
fstec
около 2 лет назад
Уязвимость функции child_process exec кроссплатформенной сетевой утилиты Node.js Network, позволяющая нарушителю выполнять произвольные команды
EPSS
Процентиль: 82%
0.01689
Низкий
7.3 High
CVSS3
9.8 Critical
CVSS3
Дефекты
CWE-77
CWE-77