Description

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.

Remediation

References

https://github.com/jaw187/node-traceroute/tags

https://snyk.io/vuln/npm:traceroute:20160311

https://www.npmjs.com/package/traceroute

https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy

https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/

https://www.npmjs.com/advisories/1465

https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f

https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3

Related Vulnerabilities

CVE-2018-10054 Vulnerability in maven package com.h2database:h2

CVE-2019-10754 Vulnerability in maven package org.apereo.cas:cas-server-core-services-api

CVE-2020-13920 Vulnerability in maven package org.apache.activemq:activemq-core

CVE-2017-16076 Vulnerability in npm package proxy.js

CVE-2016-10572 Vulnerability in npm package mongodb-instance

Severity

Critical

Classification

CWE-74 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Exploit Product Patch