Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWo5ZjgtOGg4OS1qNjl4
Remote Code Execution in node-os-utils
Versions of node-os-utils prior to 1.1.0 are vulnerable to Remote Code Execution. Due to insufficient input validation an attacker could run arbitrary commands on the server thus rendering the package vulnerable to Remote Code Execution.
Recommendation
Upgrade to version 1.1.0 or later.
Permalink: https://github.com/advisories/GHSA-j9f8-8h89-j69xJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWo5ZjgtOGg4OS1qNjl4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 5 years ago
Updated: over 1 year ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-j9f8-8h89-j69x
References:
- https://github.com/SunilWang/node-os-utils/issues/2
- https://www.npmjs.com/advisories/784
- https://snyk.io/vuln/SNYK-JS-NODEOSUTILS-173696
- https://github.com/advisories/GHSA-j9f8-8h89-j69x
Blast Radius: 23.7
Affected Packages
npm:node-os-utils
Dependent packages: 98Dependent repositories: 1,753
Downloads: 383,373 last month
Affected Version Ranges: < 1.1.0
Fixed in: 1.1.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.7, 1.0.8
All unaffected versions: 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7