{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-07-10T12:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/scravy/node-macaddress/pull/20/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/scravy/node-macaddress/releases/tag/0.2.9"}, {"tags": ["x_refsource_MISC"], "url": "https://news.ycombinator.com/item?id=17283394"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-13797", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/scravy/node-macaddress/pull/20/", "refsource": "MISC", "url": "https://github.com/scravy/node-macaddress/pull/20/"}, {"name": "https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332", "refsource": "MISC", "url": "https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332"}, {"name": "https://github.com/scravy/node-macaddress/releases/tag/0.2.9", "refsource": "MISC", "url": "https://github.com/scravy/node-macaddress/releases/tag/0.2.9"}, {"name": "https://news.ycombinator.com/item?id=17283394", "refsource": "MISC", "url": "https://news.ycombinator.com/item?id=17283394"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T09:14:47.169Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/scravy/node-macaddress/pull/20/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/scravy/node-macaddress/releases/tag/0.2.9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://news.ycombinator.com/item?id=17283394"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-13797", "datePublished": "2018-07-10T12:00:00Z", "dateReserved": "2018-07-10T00:00:00Z", "dateUpdated": "2024-09-16T23:46:07.363Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:node-macaddress_project:node-macaddress:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "CEAA97F5-17F4-4E50-836A-339A7AE2AF06", "versionEndExcluding": "0.2.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call."}, {"lang": "es", "value": "El m\u00f3dulo macaddress en versiones anteriores a la 0.2.9 para Node.js es propenso a un error de inyecci\u00f3n de comandos arbitrarios debido a que permite entradas no saneadas en una llamada exec (en lugar de execFile)."}], "id": "CVE-2018-13797", "lastModified": "2024-11-21T03:48:02.960", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-10T12:29:00.207", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/scravy/node-macaddress/pull/20/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/scravy/node-macaddress/releases/tag/0.2.9"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://news.ycombinator.com/item?id=17283394"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/scravy/node-macaddress/pull/20/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/scravy/node-macaddress/releases/tag/0.2.9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://news.ycombinator.com/item?id=17283394"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "nodejs-macaddress: improper input validation leading to command injection", "id": "1940750", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1940750"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.", "A flaw was found in nodejs-macaddress. The module allows unsanitized input to an exec call which can lead to an arbitrary command injection flaw. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2018-13797", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/console-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Fix deferred", "impact": "low", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2018-06-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-13797\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-13797"], "statement": "Red Hat Quay uses the macaddress module, but only as a development dependency, not at runtime reducing the impact on that product to low.", "threat_severity": "Critical"}