CVE-2018-21268 - OpenCVE

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Traceroute Project	Traceroute

Configuration 1 [-]

cpe:2.3:a:traceroute_project:traceroute:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f
https://github.com/jaw187/node-traceroute/tags
https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3
https://snyk.io/vuln/npm:traceroute:20160311
https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy
https://www.npmjs.com/advisories/1465
https://www.npmjs.com/package/traceroute
https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-06-25T16:56:53

Updated: 2024-08-05T12:26:39.592Z

Reserved: 2020-06-25T00:00:00

Link: CVE-2018-21268

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-06-25T17:15:11.567

Modified: 2023-11-07T02:56:25.940

Link: CVE-2018-21268

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:L/AV:N/A:L/C:H/I:H/PR:N/S:C/UI:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-25T16:56:53", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy"}, {"tags": ["x_refsource_MISC"], "url": "https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/"}, {"tags": ["x_refsource_MISC"], "url": "https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jaw187/node-traceroute/tags"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/traceroute"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/advisories/1465"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/npm:traceroute:20160311"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-21268", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:L/AV:N/A:L/C:H/I:H/PR:N/S:C/UI:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy", "refsource": "MISC", "url": "https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy"}, {"name": "https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/", "refsource": "MISC", "url": "https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/"}, {"name": "https://medium.com/@shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3", "refsource": "MISC", "url": "https://medium.com/@shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3"}, {"name": "https://github.com/jaw187/node-traceroute/tags", "refsource": "MISC", "url": "https://github.com/jaw187/node-traceroute/tags"}, {"name": "https://www.npmjs.com/package/traceroute", "refsource": "MISC", "url": "https://www.npmjs.com/package/traceroute"}, {"name": "https://www.npmjs.com/advisories/1465", "refsource": "MISC", "url": "https://www.npmjs.com/advisories/1465"}, {"name": "https://snyk.io/vuln/npm:traceroute:20160311", "refsource": "MISC", "url": "https://snyk.io/vuln/npm:traceroute:20160311"}, {"name": "https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f", "refsource": "MISC", "url": "https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:26:39.592Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jaw187/node-traceroute/tags"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/traceroute"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/advisories/1465"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/npm:traceroute:20160311"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-21268", "datePublished": "2020-06-25T16:56:53", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-05T12:26:39.592Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:traceroute_project:traceroute:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "10542A2B-9A3B-4F1B-A3E9-BF8BC7B5AE30", "versionEndIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character."}, {"lang": "es", "value": "El paquete traceroute (tambi\u00e9n se conoce como node-traceroute) versiones hasta 1.0.0 para Node.js, permite una inyecci\u00f3n de comandos remota por medio del par\u00e1metro host. Esto ocurre porque es usado el m\u00e9todo Child.exec(), que es considerado no del todo seguro. En particular, un comando del Sistema Operativo puede ser colocado despu\u00e9s de un car\u00e1cter newline"}], "id": "CVE-2018-21268", "lastModified": "2023-11-07T02:56:25.940", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2020-06-25T17:15:11.567", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/jaw187/node-traceroute/tags"}, {"source": "cve@mitre.org", "url": "https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/npm:traceroute:20160311"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.npmjs.com/advisories/1465"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://www.npmjs.com/package/traceroute"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}