WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2018-21268 Vulnerability in npm package traceroute

Description

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.

Remediation

References

https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f

https://github.com/jaw187/node-traceroute/tags

https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3

https://snyk.io/vuln/npm:traceroute:20160311

https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy

https://www.npmjs.com/advisories/1465

https://www.npmjs.com/package/traceroute

https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/

Related Vulnerabilities

CVE-2022-43411 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-plugin

CVE-2013-6393 Vulnerability in npm package libyaml

CVE-2022-25948 Vulnerability in npm package liquidjs

CVE-2020-28458 Vulnerability in maven package org.webjars.npm:datatables.net

CVE-2021-32624 Vulnerability in npm package keystone

Severity

Critical

Classification

CWE-74 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit Product