Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12dmgyLTgyYzctcHBmZ84AA48B
network Arbitrary Command Injection vulnerability
Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12dmgyLTgyYzctcHBmZ84AA48B
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-vvh2-82c7-ppfg, CVE-2024-21488
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-21488
- https://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7
- https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7
- https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5
- https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c
- https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371
- https://github.com/advisories/GHSA-vvh2-82c7-ppfg
Blast Radius: 17.5
Affected Packages
npm:network
Dependent packages: 111Dependent repositories: 247
Downloads: 15,399 last month
Affected Version Ranges: < 0.7.0
Fixed in: 0.7.0
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.3.0, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1
All unaffected versions: 0.7.0