Description

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Remediation

References

https://news.ycombinator.com/item?id=17283394

https://github.com/scravy/node-macaddress/releases/tag/0.2.9

https://github.com/scravy/node-macaddress/pull/20/

https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332

Related Vulnerabilities

CVE-2022-41853 Vulnerability in maven package org.hsqldb:hsqldb

CVE-2020-9484 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2013-4152 Vulnerability in maven package org.springframework:spring-web

CVE-2020-28279 Vulnerability in npm package flattenizer

CVE-2021-25933 Vulnerability in maven package org.opennms:opennms-webapp

Severity

Critical

Classification

CWE-78 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Release Notes Patch