Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04ajl2LXFocDQtd3Y1Nc4AAlJF
Node-Traceroute RCE Vulnerability
The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec()
method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04ajl2LXFocDQtd3Y1Nc4AAlJF
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 7 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-8j9v-qhp4-wv55, CVE-2018-21268
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-21268
- https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f
- https://github.com/jaw187/node-traceroute/tags
- https://medium.com/@shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3
- https://snyk.io/vuln/npm:traceroute:20160311
- https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy
- https://www.npmjs.com/advisories/1465
- https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/
- https://github.com/advisories/GHSA-8j9v-qhp4-wv55
Blast Radius: 17.7
Affected Packages
npm:traceroute
Dependent packages: 6Dependent repositories: 64
Downloads: 3,034 last month
Affected Version Ranges: <= 1.0.0
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 1.0.0