9.8
CVE-2023-40582
- EPSS 1.49%
- Veröffentlicht 30.08.2023 18:15:09
- Zuletzt bearbeitet 21.11.2024 08:19:45
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginCommand Injection Vulnerability in find-exec
find-exec is a utility to discover available shell commands. Versions prior to 1.0.3 did not properly escape user input and are vulnerable to Command Injection via an attacker controlled parameter. As a result, attackers may run malicious shell commands in the context of the running process. This issue has been addressed in version 1.0.3. users are advised to upgrade. Users unable to upgrade should ensure that all input passed to find-exec comes from a trusted source.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Find-exec Project ≫ Find-exec SwPlatformnode.js Version < 1.0.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.49% | 0.707 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
https://github.com/shime/find-exec/commit/74fb108097c229b03d6dba4cce81e36aa364b51c
https://github.com/shime/find-exec/security/advisories/GHSA-95rp-6gqp-6622