CVE-2021-32830 - OpenCVE

The @diez/generation npm package is a client for Diez. The locateFont method of @diez/generation has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. All versions of this package are vulnerable as of the writing of this CVE.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Haikuforteams	Diez

Configuration 1 [-]

cpe:2.3:a:haikuforteams:diez:-:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/diez/diez
https://securitylab.github.com/advisories/GHSL-2021-061-diez-generation-cmd-injection/
https://www.npmjs.com/package/%40diez/generation

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-08-17T18:00:13

Updated: 2024-08-03T23:33:55.856Z

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32830

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-08-17T18:15:07.130

Modified: 2023-11-07T03:35:30.263

Link: CVE-2021-32830

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "diez", "vendor": "diez", "versions": [{"status": "affected", "version": "all"}]}], "descriptions": [{"lang": "en", "value": "The @diez/generation npm package is a client for Diez. The locateFont method of @diez/generation has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. All versions of this package are vulnerable as of the writing of this CVE."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 OS Command Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-17T18:00:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2021-061-diez-generation-cmd-injection/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/diez/diez"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/%40diez/generation"}], "source": {"advisory": "GHSL-2021-061", "discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32830", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "diez", "version": {"version_data": [{"version_value": "all"}]}}]}, "vendor_name": "diez"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The @diez/generation npm package is a client for Diez. The locateFont method of @diez/generation has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. All versions of this package are vulnerable as of the writing of this CVE."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78 OS Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://securitylab.github.com/advisories/GHSL-2021-061-diez-generation-cmd-injection/", "refsource": "CONFIRM", "url": "https://securitylab.github.com/advisories/GHSL-2021-061-diez-generation-cmd-injection/"}, {"name": "https://github.com/diez/diez", "refsource": "MISC", "url": "https://github.com/diez/diez"}, {"name": "https://www.npmjs.com/package/@diez/generation", "refsource": "MISC", "url": "https://www.npmjs.com/package/@diez/generation"}]}, "source": {"advisory": "GHSL-2021-061", "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:33:55.856Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2021-061-diez-generation-cmd-injection/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/diez/diez"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/%40diez/generation"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32830", "datePublished": "2021-08-17T18:00:13", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:33:55.856Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:haikuforteams:diez:-:*:*:*:*:node.js:*:*", "matchCriteriaId": "767D2960-8B3D-47B2-B7D7-2FA01DDE1387", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The @diez/generation npm package is a client for Diez. The locateFont method of @diez/generation has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. All versions of this package are vulnerable as of the writing of this CVE."}, {"lang": "es", "value": "El paquete npm @diez/generation es un cliente para Diez. El m\u00e9todo locateFont de @diez/generation presenta una vulnerabilidad de inyecci\u00f3n de comandos. Es poco probable que los clientes de la biblioteca @diez/generation sean conscientes de ello, por lo que podr\u00edan escribir involuntariamente c\u00f3digo que contenga una vulnerabilidad. Este problema puede conllevar a una ejecuci\u00f3n de c\u00f3digo remota si un cliente de la biblioteca llama al m\u00e9todo vulnerable con una entrada no confiable. Todas las versiones de este paquete son vulnerables en el momento de escribir esta CVE."}], "id": "CVE-2021-32830", "lastModified": "2023-11-07T03:35:30.263", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-08-17T18:15:07.130", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/diez/diez"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2021-061-diez-generation-cmd-injection/"}, {"source": "security-advisories@github.com", "url": "https://www.npmjs.com/package/%40diez/generation"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}