9

CVE-2019-19609

Exploit
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
StrapiStrapi Version <= 1.6.4
StrapiStrapi Version3.0.0 Updatealpha10.1
StrapiStrapi Version3.0.0 Updatealpha10.2
StrapiStrapi Version3.0.0 Updatealpha10.3
StrapiStrapi Version3.0.0 Updatealpha11
StrapiStrapi Version3.0.0 Updatealpha11.1
StrapiStrapi Version3.0.0 Updatealpha11.2
StrapiStrapi Version3.0.0 Updatealpha11.3
StrapiStrapi Version3.0.0 Updatealpha12
StrapiStrapi Version3.0.0 Updatealpha12.1
StrapiStrapi Version3.0.0 Updatealpha12.1.3
StrapiStrapi Version3.0.0 Updatealpha12.2
StrapiStrapi Version3.0.0 Updatealpha12.3
StrapiStrapi Version3.0.0 Updatealpha12.4
StrapiStrapi Version3.0.0 Updatealpha12.5
StrapiStrapi Version3.0.0 Updatealpha12.6
StrapiStrapi Version3.0.0 Updatealpha12.7
StrapiStrapi Version3.0.0 Updatealpha12.7.1
StrapiStrapi Version3.0.0 Updatealpha13
StrapiStrapi Version3.0.0 Updatealpha13.0.1
StrapiStrapi Version3.0.0 Updatealpha13.1
StrapiStrapi Version3.0.0 Updatealpha14
StrapiStrapi Version3.0.0 Updatealpha14.1
StrapiStrapi Version3.0.0 Updatealpha14.1.1
StrapiStrapi Version3.0.0 Updatealpha14.2
StrapiStrapi Version3.0.0 Updatealpha14.3
StrapiStrapi Version3.0.0 Updatealpha14.4.0
StrapiStrapi Version3.0.0 Updatealpha14.5
StrapiStrapi Version3.0.0 Updatealpha15
StrapiStrapi Version3.0.0 Updatealpha16
StrapiStrapi Version3.0.0 Updatealpha17
StrapiStrapi Version3.0.0 Updatealpha18
StrapiStrapi Version3.0.0 Updatealpha19
StrapiStrapi Version3.0.0 Updatealpha20
StrapiStrapi Version3.0.0 Updatealpha21
StrapiStrapi Version3.0.0 Updatealpha22
StrapiStrapi Version3.0.0 Updatealpha23
StrapiStrapi Version3.0.0 Updatealpha23.1
StrapiStrapi Version3.0.0 Updatealpha24
StrapiStrapi Version3.0.0 Updatealpha24.1
StrapiStrapi Version3.0.0 Updatealpha25
StrapiStrapi Version3.0.0 Updatealpha25.1
StrapiStrapi Version3.0.0 Updatealpha25.2
StrapiStrapi Version3.0.0 Updatealpha26
StrapiStrapi Version3.0.0 Updatealpha26.1
StrapiStrapi Version3.0.0 Updatealpha26.2
StrapiStrapi Version3.0.0 Updatealpha4
StrapiStrapi Version3.0.0 Updatealpha4.8
StrapiStrapi Version3.0.0 Updatealpha5.3
StrapiStrapi Version3.0.0 Updatealpha5.5
StrapiStrapi Version3.0.0 Updatealpha6.3
StrapiStrapi Version3.0.0 Updatealpha6.4
StrapiStrapi Version3.0.0 Updatealpha6.7
StrapiStrapi Version3.0.0 Updatealpha7.2
StrapiStrapi Version3.0.0 Updatealpha7.3
StrapiStrapi Version3.0.0 Updatealpha8
StrapiStrapi Version3.0.0 Updatealpha8.3
StrapiStrapi Version3.0.0 Updatealpha9
StrapiStrapi Version3.0.0 Updatealpha9.1
StrapiStrapi Version3.0.0 Updatealpha9.2
StrapiStrapi Version3.0.0 Updatebeta0
StrapiStrapi Version3.0.0 Updatebeta1
StrapiStrapi Version3.0.0 Updatebeta10
StrapiStrapi Version3.0.0 Updatebeta11
StrapiStrapi Version3.0.0 Updatebeta12
StrapiStrapi Version3.0.0 Updatebeta13
StrapiStrapi Version3.0.0 Updatebeta14
StrapiStrapi Version3.0.0 Updatebeta15
StrapiStrapi Version3.0.0 Updatebeta16
StrapiStrapi Version3.0.0 Updatebeta16.1
StrapiStrapi Version3.0.0 Updatebeta16.2
StrapiStrapi Version3.0.0 Updatebeta16.3
StrapiStrapi Version3.0.0 Updatebeta16.4
StrapiStrapi Version3.0.0 Updatebeta16.5
StrapiStrapi Version3.0.0 Updatebeta16.6
StrapiStrapi Version3.0.0 Updatebeta16.7
StrapiStrapi Version3.0.0 Updatebeta16.8
StrapiStrapi Version3.0.0 Updatebeta17
StrapiStrapi Version3.0.0 Updatebeta17.1
StrapiStrapi Version3.0.0 Updatebeta17.2
StrapiStrapi Version3.0.0 Updatebeta17.3
StrapiStrapi Version3.0.0 Updatebeta17.4
StrapiStrapi Version3.0.0 Updatebeta17.5
StrapiStrapi Version3.0.0 Updatebeta17.6
StrapiStrapi Version3.0.0 Updatebeta17.7
StrapiStrapi Version3.0.0 Updatebeta2
StrapiStrapi Version3.0.0 Updatebeta3
StrapiStrapi Version3.0.0 Updatebeta4
StrapiStrapi Version3.0.0 Updatebeta5
StrapiStrapi Version3.0.0 Updatebeta6
StrapiStrapi Version3.0.0 Updatebeta7
StrapiStrapi Version3.0.0 Updatebeta8
StrapiStrapi Version3.0.0 Updatebeta9
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 81.6% 0.992
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 9 8 10
AV:N/AC:L/Au:S/C:C/I:C/A:C
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://github.com/strapi/strapi/pull/4636
Patch
Third Party Advisory