CVE-2018-21268 - OpenCVE

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Traceroute Project	Traceroute

Configuration 1 [-]

cpe:2.3:a:traceroute_project:traceroute:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f	Patch Third Party Advisory
https://github.com/jaw187/node-traceroute/tags	Third Party Advisory
https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3
https://snyk.io/vuln/npm:traceroute:20160311	Exploit Third Party Advisory
https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy	Third Party Advisory
https://www.npmjs.com/advisories/1465	Third Party Advisory
https://www.npmjs.com/package/traceroute	Product Third Party Advisory
https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-06-25T16:56:53

Updated: 2020-06-25T16:56:53

Reserved: 2020-06-25T00:00:00

Link: CVE-2018-21268

JSON object: View

NVD Information

Status : Modified

Published: 2020-06-25T17:15:11.567

Modified: 2023-11-07T02:56:25.940

Link: CVE-2018-21268

JSON object: View

Redhat Information

No data.

CWE

CWE-74

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:L/AV:N/A:L/C:H/I:H/PR:N/S:C/UI:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-25T16:56:53", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy"}, {"tags": ["x_refsource_MISC"], "url": "https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/"}, {"tags": ["x_refsource_MISC"], "url": "https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jaw187/node-traceroute/tags"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/traceroute"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/advisories/1465"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/npm:traceroute:20160311"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-21268", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:L/AV:N/A:L/C:H/I:H/PR:N/S:C/UI:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy", "refsource": "MISC", "url": "https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy"}, {"name": "https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/", "refsource": "MISC", "url": "https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/"}, {"name": "https://medium.com/@shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3", "refsource": "MISC", "url": "https://medium.com/@shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3"}, {"name": "https://github.com/jaw187/node-traceroute/tags", "refsource": "MISC", "url": "https://github.com/jaw187/node-traceroute/tags"}, {"name": "https://www.npmjs.com/package/traceroute", "refsource": "MISC", "url": "https://www.npmjs.com/package/traceroute"}, {"name": "https://www.npmjs.com/advisories/1465", "refsource": "MISC", "url": "https://www.npmjs.com/advisories/1465"}, {"name": "https://snyk.io/vuln/npm:traceroute:20160311", "refsource": "MISC", "url": "https://snyk.io/vuln/npm:traceroute:20160311"}, {"name": "https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f", "refsource": "MISC", "url": "https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-21268", "datePublished": "2020-06-25T16:56:53", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2020-06-25T16:56:53", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:traceroute_project:traceroute:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "10542A2B-9A3B-4F1B-A3E9-BF8BC7B5AE30", "versionEndIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character."}, {"lang": "es", "value": "El paquete traceroute (tambi\u00e9n se conoce como node-traceroute) versiones hasta 1.0.0 para Node.js, permite una inyecci\u00f3n de comandos remota por medio del par\u00e1metro host. Esto ocurre porque es usado el m\u00e9todo Child.exec(), que es considerado no del todo seguro. En particular, un comando del Sistema Operativo puede ser colocado despu\u00e9s de un car\u00e1cter newline"}], "id": "CVE-2018-21268", "lastModified": "2023-11-07T02:56:25.940", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2020-06-25T17:15:11.567", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/jaw187/node-traceroute/tags"}, {"source": "cve@mitre.org", "url": "https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/npm:traceroute:20160311"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.npmjs.com/advisories/1465"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://www.npmjs.com/package/traceroute"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}