The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.
References
Link | Resource |
---|---|
https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f | Patch Third Party Advisory |
https://github.com/jaw187/node-traceroute/tags | Third Party Advisory |
https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3 | |
https://snyk.io/vuln/npm:traceroute:20160311 | Exploit Third Party Advisory |
https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy | Third Party Advisory |
https://www.npmjs.com/advisories/1465 | Third Party Advisory |
https://www.npmjs.com/package/traceroute | Product Third Party Advisory |
https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/ | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2020-06-25T16:56:53
Updated: 2020-06-25T16:56:53
Reserved: 2020-06-25T00:00:00
Link: CVE-2018-21268
JSON object: View
NVD Information
Status : Modified
Published: 2020-06-25T17:15:11.567
Modified: 2023-11-07T02:56:25.940
Link: CVE-2018-21268
JSON object: View
Redhat Information
No data.
CWE