CVE-2024-21488 - OpenCVE

Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Forkhq	Network

Configuration 1 [-]

cpe:2.3:a:forkhq:network:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c
https://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7
https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7
https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5
https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2024-01-30T05:00:01.547Z

Updated: 2024-11-12T14:50:44.356Z

Reserved: 2023-12-22T12:33:20.118Z

Link: CVE-2024-21488

Vulnrichment

No data.

NVD

Status : Modified

Published: 2024-01-30T05:15:09.277

Modified: 2024-02-08T13:15:09.700

Link: CVE-2024-21488

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21488", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-12-22T12:33:20.118Z", "datePublished": "2024-01-30T05:00:01.547Z", "dateUpdated": "2024-11-12T14:50:44.356Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P"}}], "credits": [{"value": "NodeMedic", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "Arbitrary Command Injection", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-11-12T14:50:44.356Z"}, "descriptions": [{"value": "Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371"}, {"url": "https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c"}, {"url": "https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5"}, {"url": "https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7"}, {"url": "https://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7"}], "affected": [{"product": "network", "versions": [{"version": "0", "lessThan": "0.7.0", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:20:40.579Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371", "tags": ["x_transferred"]}, {"url": "https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c", "tags": ["x_transferred"]}, {"url": "https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5", "tags": ["x_transferred"]}, {"url": "https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7", "tags": ["x_transferred"]}, {"url": "https://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:forkhq:network:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D7E1F6C0-7EF1-4EE0-9BEE-BD4B94EA0B33", "versionEndExcluding": "0.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on."}, {"lang": "es", "value": "Las versiones de la red de paquetes anteriores a la 0.7.0 son vulnerables a la inyecci\u00f3n de comandos arbitrarios debido al uso de la funci\u00f3n ejecutiva child_process sin sanitizaci\u00f3n de entrada. Si se proporciona entrada de usuario (controlada por el atacante) a la funci\u00f3n mac_address_for del paquete, es posible que un atacante ejecute comandos arbitrarios en el sistema operativo en el que se ejecuta este paquete."}], "id": "CVE-2024-21488", "lastModified": "2024-02-08T13:15:09.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2024-01-30T05:15:09.277", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-77"}], "source": "report@snyk.io", "type": "Secondary"}]}