Description

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Remediation

References

https://news.ycombinator.com/item?id=17283394

https://github.com/scravy/node-macaddress/releases/tag/0.2.9

https://github.com/scravy/node-macaddress/pull/20/

https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332

Related Vulnerabilities

CVE-2019-1010266 Vulnerability in maven package org.fujion.webjars:lodash

CVE-2023-48796 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-alert-server

CVE-2023-26158 Vulnerability in maven package org.webjars.npm:mockjs

CVE-2017-16100 Vulnerability in npm package dns-sync

CVE-2023-48796 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-master

Severity

Critical

Classification

CWE-78 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Release Notes Patch