CVE-2019-15597

Опубликовано: 18 дек. 2019

Источник: redhat

CVSS3: 8.8

Описание

A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input.

An RCE attack was found in node-df, allowing an attacker to inject code via unsanitized input. The issue occurs because user input is concatenated inside a command that will be executed without verification.

Отчет

In Red Hat OpenShift Data Foundation (previously Red Hat OpenShift Container Storage) there is bundled a vulnerable version of the node-df Nodejs package, but access to the vulnerable artifact is restricted hence the impact to the OpenShift Data Foundation components is reduced to Moderate.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Openshift Container Storage 4	ocs4/mcg-core-rhel8	Affected
Red Hat Openshift Data Foundation 4	noobaa-core-container	Affected
Red Hat Openshift Data Foundation 4	odf4/mcg-core-rhel9	Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-94

https://bugzilla.redhat.com/show_bug.cgi?id=2124534node-df: unsanitized input may allow for a remote code execution

8.8 High

CVSS3

Связанные уязвимости

CVE-2019-15597

CVSS3: 9.8

nvd

около 6 лет назад

A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input.

GHSA-wp7m-mrvf-599c

CVSS3: 9.8

github

почти 6 лет назад

Command Injection in node-df

8.8 High

CVSS3