CVE-2018-21268
CVE-2018-21268
The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.
CVSS:3.1/AC:L/AV:N/A:L/C:H/I:H/PR:N/S:C/UI:N
Produtos afetados
n/a · n/aPoCs públicas encontradas — 1
githubgithub.com/dannyEndorTest/node-vulnerable★ 0⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.
Quer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386fhttps://github.com/jaw187/node-traceroute/tagshttps://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3https://snyk.io/vuln/npm:traceroute:20160311https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpyhttps://www.npmjs.com/advisories/1465https://www.npmjs.com/package/traceroutehttps://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/