Impact
The vulnerability originates from unsafe construction of shell commands when the set-system-time plugin processes navigation.datetime values received via WebSocket delta messages. It allows an attacker with appropriate privileges to inject and execute arbitrary shell commands on the host running Signal K Server. Based on the description, the injection occurs when navigation.datetime data is handled in this manner.
Affected Systems
Signal K Server versions earlier than 1.5.0 that have the set-system-time plugin enabled are affected.
Risk and Exploitability
The CVSS base score of 10 indicates the highest possible severity, and the EPSS score of 4% suggests that exploitation attempts are plausible. The vulnerability can be leveraged by authenticated users with write permission when the plugin is active, or by unauthenticated users if the server’s security feature is disabled. The risk is high because the flaw enables full remote code execution on the server host.
OpenCVE Enrichment
Github GHSA