CVE-2019-25158 - OpenCVE

A vulnerability has been found in pedroetb tts-api up to 2.1.4 and classified as critical. This vulnerability affects the function onSpeechDone of the file app.js. The manipulation leads to os command injection. Upgrading to version 2.2.0 is able to address this issue. The patch is identified as 29d9c25415911ea2f8b6de247cb5c4607d13d434. It is recommended to upgrade the affected component. VDB-248278 is the identifier assigned to this vulnerability.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:A/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pedroetb	Tts-api

Configuration 1 [-]

cpe:2.3:a:pedroetb:tts-api:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/pedroetb/tts-api/commit/29d9c25415911ea2f8b6de247cb5c4607d13d434
https://github.com/pedroetb/tts-api/releases/tag/v2.2.0
https://vuldb.com/?ctiid.248278
https://vuldb.com/?id.248278

History

No history.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2023-12-19T13:00:06.070Z

Updated: 2024-08-05T03:00:19.426Z

Reserved: 2023-12-17T15:09:22.338Z

Link: CVE-2019-25158

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-19T13:15:43.133

Modified: 2024-05-17T01:36:43.730

Link: CVE-2019-25158

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2019-25158", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2023-12-17T15:09:22.338Z", "datePublished": "2023-12-19T13:00:06.070Z", "dateUpdated": "2024-08-05T03:00:19.426Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2023-12-19T13:00:06.070Z"}, "title": "pedroetb tts-api app.js onSpeechDone os command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "CWE-78 OS Command Injection"}]}], "affected": [{"vendor": "pedroetb", "product": "tts-api", "versions": [{"version": "2.1.0", "status": "affected"}, {"version": "2.1.1", "status": "affected"}, {"version": "2.1.2", "status": "affected"}, {"version": "2.1.3", "status": "affected"}, {"version": "2.1.4", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in pedroetb tts-api up to 2.1.4 and classified as critical. This vulnerability affects the function onSpeechDone of the file app.js. The manipulation leads to os command injection. Upgrading to version 2.2.0 is able to address this issue. The patch is identified as 29d9c25415911ea2f8b6de247cb5c4607d13d434. It is recommended to upgrade the affected component. VDB-248278 is the identifier assigned to this vulnerability."}, {"lang": "de", "value": "In pedroetb tts-api bis 2.1.4 wurde eine kritische Schwachstelle gefunden. Dabei geht es um die Funktion onSpeechDone der Datei app.js. Durch Manipulieren mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Ein Aktualisieren auf die Version 2.2.0 vermag dieses Problem zu l\u00f6sen. Der Patch wird als 29d9c25415911ea2f8b6de247cb5c4607d13d434 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.2, "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P"}}], "timeline": [{"time": "2019-07-14T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2019-07-14T00:00:00.000Z", "lang": "en", "value": "Countermeasure disclosed"}, {"time": "2023-12-17T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2023-12-17T16:15:36.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "VulDB GitHub Commit Analyzer", "type": "tool"}], "references": [{"url": "https://vuldb.com/?id.248278", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.248278", "tags": ["signature", "permissions-required"]}, {"url": "https://github.com/pedroetb/tts-api/commit/29d9c25415911ea2f8b6de247cb5c4607d13d434", "tags": ["patch"]}, {"url": "https://github.com/pedroetb/tts-api/releases/tag/v2.2.0", "tags": ["patch"]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:00:19.426Z"}, "title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.248278", "tags": ["vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.248278", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://github.com/pedroetb/tts-api/commit/29d9c25415911ea2f8b6de247cb5c4607d13d434", "tags": ["patch", "x_transferred"]}, {"url": "https://github.com/pedroetb/tts-api/releases/tag/v2.2.0", "tags": ["patch", "x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pedroetb:tts-api:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A7BC92B-21CF-43A4-87DC-12008F7AC264", "versionEndExcluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in pedroetb tts-api up to 2.1.4 and classified as critical. This vulnerability affects the function onSpeechDone of the file app.js. The manipulation leads to os command injection. Upgrading to version 2.2.0 is able to address this issue. The patch is identified as 29d9c25415911ea2f8b6de247cb5c4607d13d434. It is recommended to upgrade the affected component. VDB-248278 is the identifier assigned to this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en pedroetb tts-api hasta 2.1.4 y clasificada como cr\u00edtica. Esta vulnerabilidad afecta a la funci\u00f3n onSpeechDone del archivo app.js. La manipulaci\u00f3n conduce a la inyecci\u00f3n de comandos del sistema operativo. La actualizaci\u00f3n a la versi\u00f3n 2.2.0 puede solucionar este problema. El parche se identifica como 29d9c25415911ea2f8b6de247cb5c4607d13d434. Se recomienda actualizar el componente afectado. VDB-248278 es el identificador asignado a esta vulnerabilidad."}], "id": "CVE-2019-25158", "lastModified": "2024-05-17T01:36:43.730", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.2, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 5.1, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2023-12-19T13:15:43.133", "references": [{"source": "cna@vuldb.com", "tags": ["Patch"], "url": "https://github.com/pedroetb/tts-api/commit/29d9c25415911ea2f8b6de247cb5c4607d13d434"}, {"source": "cna@vuldb.com", "tags": ["Release Notes"], "url": "https://github.com/pedroetb/tts-api/releases/tag/v2.2.0"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required"], "url": "https://vuldb.com/?ctiid.248278"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?id.248278"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "cna@vuldb.com", "type": "Primary"}]}