Description
The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.
Remediation
References
https://github.com/jaw187/node-traceroute/tags
https://snyk.io/vuln/npm:traceroute:20160311
https://www.npmjs.com/package/traceroute
https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy
https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/
https://www.npmjs.com/advisories/1465
https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f
https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3
Related Vulnerabilities
CVE-2022-31160 Vulnerability in maven package org.webjars.bowergithub.jquery:jquery-ui
CVE-2016-11023 Vulnerability in maven package org.odata4j:odata4j-core
CVE-2020-28422 Vulnerability in npm package git-archive
CVE-2017-7674 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2021-41183 Vulnerability in maven package org.webjars:jquery-ui