Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05NXJwLTZncXAtNjYyMs4AA1lI
Command Injection Vulnerability in find-exec
Older versions of the package are vulnerable to Command Injection as an attacker controlled parameter. As a result, attackers may run malicious commands.
For example:
const find = require("find-exec");
find("mplayer; touch hacked")
This creates a file named "hacked" on the filesystem.
You should never allow users to control commands to find, since this package attempts to run every command provided.
Thanks to @miguelafmonteiro for reporting.
Permalink: https://github.com/advisories/GHSA-95rp-6gqp-6622JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05NXJwLTZncXAtNjYyMs4AA1lI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 year ago
Updated: 10 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-95rp-6gqp-6622, CVE-2023-40582
References:
- https://github.com/shime/find-exec/security/advisories/GHSA-95rp-6gqp-6622
- https://nvd.nist.gov/vuln/detail/CVE-2023-40582
- https://github.com/shime/find-exec/commit/74fb108097c229b03d6dba4cce81e36aa364b51c
- https://github.com/advisories/GHSA-95rp-6gqp-6622
Blast Radius: 27.4
Affected Packages
npm:find-exec
Dependent packages: 13Dependent repositories: 628
Downloads: 34,502 last month
Affected Version Ranges: < 1.0.3
Fixed in: 1.0.3
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 1.0.0, 1.0.1, 1.0.2
All unaffected versions: 1.0.3