Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFmeHYtcXF2Zy0yNHBn
OS Command Injection in im-metadata
im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the "exec" argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the "exec" function.
Permalink: https://github.com/advisories/GHSA-qfxv-qqvg-24pgJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFmeHYtcXF2Zy0yNHBn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-qfxv-qqvg-24pg, CVE-2019-10788
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10788
- https://github.com/Turistforeningen/node-im-metadata/commit/ea15dddbe0f65694bfde36b78dd488e90f246639
- https://snyk.io/vuln/SNYK-JS-IMMETADATA-544184
- https://github.com/advisories/GHSA-qfxv-qqvg-24pg
Blast Radius: 14.6
Affected Packages
npm:im-metadata
Dependent packages: 5Dependent repositories: 31
Downloads: 2,436 last month
Affected Version Ranges: <= 3.0.1
No known fixed version
All affected versions: 1.0.1, 1.0.2, 1.0.3, 1.1.0, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 3.0.0, 3.0.1