Описание
The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.
A flaw was found in browserstack-local. Improper input sanitization of the logfile variable allows an attacker to inject arbitrary OS commands that are executed when this variable is processed, resulting in arbitrary command execution.
Отчет
To exploit this flaw, an attacker needs to have the ability to set the logfile variable, which typically implies prior access to the configuration files or the environment where the configuration is defined and permission to modify it. Due to this reason, this issue has been rated with an important severity.
Меры по смягчению последствий
To mitigate this issue, implement strict input validation of the logfile variable using an allow-list approach. Ensure the input allows only alphanumeric characters, dots, dashes, underscores, and forward slashes. Any input containing other characters should be rejected immediately.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | io.syndesis-syndesis-parent | Affected |
Показывать по
Дополнительная информация
Статус:
7.8 High
CVSS3
Связанные уязвимости
The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.
BrowserStack Local vulnerable to Command Injection through logfile variable
Уязвимость параметра logfile библиотеки lib/Local.js npm-пакета browserstack-local программной платформы Node.js, позволяющая нарушителю выполнить произвольную команду
7.8 High
CVSS3