WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2018-21268 Vulnerability in npm package traceroute

Description

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.

Remediation

References

https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f

https://github.com/jaw187/node-traceroute/tags

https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3

https://snyk.io/vuln/npm:traceroute:20160311

https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy

https://www.npmjs.com/advisories/1465

https://www.npmjs.com/package/traceroute

https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/

Related Vulnerabilities

CVE-2021-31405 Vulnerability in maven package com.vaadin:vaadin-text-field-flow

CVE-2021-32854 Vulnerability in maven package org.webjars.bower:textangular

CVE-2021-25924 Vulnerability in maven package cd.go.plugin:go-plugin-api

CVE-2022-24898 Vulnerability in maven package org.xwiki.commons:xwiki-commons-xml

CVE-2022-25869 Vulnerability in npm package angular

Severity

Critical

Classification

CWE-74 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit Product