{"containers": {"cna": {"affected": [{"product": "ljharb/npm-lockfile", "vendor": "ljharb", "versions": [{"status": "affected", "version": "2.0.3"}, {"status": "affected", "version": "2.0.4"}]}], "descriptions": [{"lang": "en", "value": "OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-04T08:15:13", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ljharb/npm-lockfile/commit/bfdb84813260f0edbf759f2fde1e8c816c1478b8"}], "source": {"advisory": "4f806dc9-2ecd-4e79-997e-5292f1bea9f1", "discovery": "EXTERNAL"}, "title": "OS Command Injection in ljharb/npm-lockfile", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2022-0841", "STATE": "PUBLIC", "TITLE": "OS Command Injection in ljharb/npm-lockfile"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ljharb/npm-lockfile", "version": {"version_data": [{"version_affected": "=", "version_value": "2.0.3"}, {"version_affected": "=", "version_value": "2.0.4"}]}}]}, "vendor_name": "ljharb"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command"}]}]}, "references": {"reference_data": [{"name": "https://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1", "refsource": "CONFIRM", "url": "https://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1"}, {"name": "https://github.com/ljharb/npm-lockfile/commit/bfdb84813260f0edbf759f2fde1e8c816c1478b8", "refsource": "MISC", "url": "https://github.com/ljharb/npm-lockfile/commit/bfdb84813260f0edbf759f2fde1e8c816c1478b8"}]}, "source": {"advisory": "4f806dc9-2ecd-4e79-997e-5292f1bea9f1", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:40:04.446Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ljharb/npm-lockfile/commit/bfdb84813260f0edbf759f2fde1e8c816c1478b8"}]}]}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2022-0841", "datePublished": "2022-03-03T15:50:10", "dateReserved": "2022-03-03T00:00:00", "dateUpdated": "2024-08-02T23:40:04.446Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:npm-lockfile_project:npm-lockfile:2.0.3:*:*:*:*:node.js:*:*", "matchCriteriaId": "F81C86AD-D217-4007-BE77-43366826ACBD", "vulnerable": true}, {"criteria": "cpe:2.3:a:npm-lockfile_project:npm-lockfile:2.0.4:*:*:*:*:node.js:*:*", "matchCriteriaId": "9DAF0424-6A7C-4853-B316-0BF3CFE247F2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4."}, {"lang": "es", "value": "Inyecci\u00f3n de comandos del sistema operativo en el repositorio de GitHub ljharb/npm-lockfile en las versiones v2.0.3 y v2.0.4."}], "id": "CVE-2022-0841", "lastModified": "2024-11-21T06:39:30.380", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-03T16:15:07.863", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ljharb/npm-lockfile/commit/bfdb84813260f0edbf759f2fde1e8c816c1478b8"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ljharb/npm-lockfile/commit/bfdb84813260f0edbf759f2fde1e8c816c1478b8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@huntr.dev", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "npm-lockfile: os command injection", "id": "2060615", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060615"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-78", "details": ["OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4.", "A flaw was found in npm-lockfile, where npm-lockfile v2 did not sanitize the `only` parameter before invoking sensitive command execution API with the input. This issue leads to a command injection vulnerability."], "name": "CVE-2022-0841", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "389-ds:1.4/389-ds-base", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "cockpit", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "cockpit-appstream", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:2.0/cockpit-podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:rhel8/cockpit-podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:12/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:14/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nodejs12-nodejs", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nodejs14-nodejs", "product_name": "Red Hat Software Collections"}], "public_date": "2022-03-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-0841\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-0841\nhttps://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1/"], "statement": "This flaw only affects npm-lockfile v2. Red Hat Enterprise Linux is not affected by this issue as it ships npm-lockfile v1. Note that the impact is Low as there is no way for external attackers to provide unsafe input and exploit the issue. See huntr vulnerability report (External References) for more information in this regard.", "threat_severity": "Low"}

{}