Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02NzIyLXh2cTgtMzI1NM4AAx8O
SketchSVG Arbitrary Code Injection vulnerability
All versions of the package sketchsvg are vulnerable to Arbitrary Code Injection when invoking shell.exec
without sanitization nor parametrization while concatenating the current directory as part of the command string.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NzIyLXh2cTgtMzI1NM4AAx8O
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 7.8
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-6722-xvq8-3254, CVE-2023-26107
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-26107
- https://security.snyk.io/vuln/SNYK-JS-SKETCHSVG-3167969
- https://github.com/eBay/SketchSVG/blob/dd1036648f0f320a3187ef79d506b676b9eb87a6/lib/index.js#23L115
- https://github.com/eBay/SketchSVG/blob/dd1036648f0f320a3187ef79d506b676b9eb87a6/lib/index.js#23L64
- https://github.com/advisories/GHSA-6722-xvq8-3254
Blast Radius: 0.0
Affected Packages
npm:sketchsvg
Dependent packages: 0Dependent repositories: 1
Downloads: 4 last month
Affected Version Ranges: <= 0.0.1
No known fixed version
All affected versions: 0.0.1