CVE-2018-21268

CVSS 10 CRITICALEPSS 4.3%

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.

CVSS:3.1/AC:L/AV:N/A:L/C:H/I:H/PR:N/S:C/UI:N

Affected products

n/a · n/a

public PoCs found — 1

githubgithub.com/dannyEndorTest/node-vulnerable★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f https://github.com/jaw187/node-traceroute/tags https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3 https://snyk.io/vuln/npm:traceroute:20160311 https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy https://www.npmjs.com/advisories/1465 https://www.npmjs.com/package/traceroute https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/