CVE-2022-21165 - OpenCVE

All versions of package font-converter are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the child_process.exec() function.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Font Converter Project	Font Converter

Configuration 1 [-]

OR	cpe:2.3:a:font_converter_project:font_converter:1.0.0:::::node.js::
	cpe:2.3:a:font_converter_project:font_converter:1.1.0:::::node.js::
	cpe:2.3:a:font_converter_project:font_converter:1.1.1:::::node.js::

No data.

References

Link	Providers
https://github.com/zgec/node-js-font-converter/blob/master/index.js%23L12
https://security.snyk.io/vuln/SNYK-JS-FONTCONVERTER-2976194

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2022-08-29T05:00:17.008154Z

Updated: 2024-09-17T04:15:11.135Z

Reserved: 2022-02-24T00:00:00

Link: CVE-2022-21165

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-29T05:15:08.137

Modified: 2023-08-08T14:22:24.967

Link: CVE-2022-21165

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "font-converter", "vendor": "n/a", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "OmniTaint"}], "datePublic": "2022-08-29T00:00:00", "descriptions": [{"lang": "en", "value": "All versions of package font-converter are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the child_process.exec() function."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Arbitrary Command Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-29T05:00:16", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.snyk.io/vuln/SNYK-JS-FONTCONVERTER-2976194"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zgec/node-js-font-converter/blob/master/index.js%23L12"}], "title": "Arbitrary Command Injection", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2022-08-29T05:00:02.360407Z", "ID": "CVE-2022-21165", "STATE": "PUBLIC", "TITLE": "Arbitrary Command Injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "font-converter", "version": {"version_data": [{"version_affected": ">=", "version_value": "0"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "OmniTaint"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "All versions of package font-converter are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the child_process.exec() function."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Arbitrary Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://security.snyk.io/vuln/SNYK-JS-FONTCONVERTER-2976194", "refsource": "MISC", "url": "https://security.snyk.io/vuln/SNYK-JS-FONTCONVERTER-2976194"}, {"name": "https://github.com/zgec/node-js-font-converter/blob/master/index.js%23L12", "refsource": "MISC", "url": "https://github.com/zgec/node-js-font-converter/blob/master/index.js%23L12"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:31:59.858Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://security.snyk.io/vuln/SNYK-JS-FONTCONVERTER-2976194"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zgec/node-js-font-converter/blob/master/index.js%23L12"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2022-21165", "datePublished": "2022-08-29T05:00:17.008154Z", "dateReserved": "2022-02-24T00:00:00", "dateUpdated": "2024-09-17T04:15:11.135Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:font_converter_project:font_converter:1.0.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "BE9C7421-B2F2-4824-9C64-A26E75AABD23", "vulnerable": true}, {"criteria": "cpe:2.3:a:font_converter_project:font_converter:1.1.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "B4B435A4-024A-4ADD-8524-01893A8B0F44", "vulnerable": true}, {"criteria": "cpe:2.3:a:font_converter_project:font_converter:1.1.1:*:*:*:*:node.js:*:*", "matchCriteriaId": "0DA04D8B-25DD-4B48-ACD2-0437F861C636", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "All versions of package font-converter are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the child_process.exec() function."}, {"lang": "es", "value": "Todas las versiones del paquete font-converter son vulnerables a una inyecci\u00f3n arbitraria de comandos debido a una falta de saneo de la entrada que potencialmente fluye hacia la funci\u00f3n child_process.exec()"}], "id": "CVE-2022-21165", "lastModified": "2023-08-08T14:22:24.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2022-08-29T05:15:08.137", "references": [{"source": "report@snyk.io", "tags": ["Broken Link", "Third Party Advisory"], "url": "https://github.com/zgec/node-js-font-converter/blob/master/index.js%23L12"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-FONTCONVERTER-2976194"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}