9.8

CVE-2024-21488

Exploit
Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ForkhqNetwork SwPlatformnode.js Version < 0.7.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3.24% 0.867
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
report@snyk.io 7.3 3.9 3.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c
Third Party Advisory
Exploit
Mitigation
https://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7
Patch
https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7
Patch
https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5
Patch
https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371
Third Party Advisory
Exploit