GHSA-vvh2-82c7-ppfg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vvh2-82c7-ppfg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-vvh2-82c7-ppfg/GHSA-vvh2-82c7-ppfg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vvh2-82c7-ppfg
- Aliases
- Published
- 2024-01-30T06:30:23Z
- Modified
- 2024-01-30T18:56:40.784372Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- network Arbitrary Command Injection vulnerability
- Details
-
Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the
child_processexec function without input sanitization. If (attacker-controlled) user input is given to themac_address_forfunction of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on. - Database specific
{ "nvd_published_at": "2024-01-30T05:15:09Z", "cwe_ids": [ "CWE-77" ], "github_reviewed_at": "2024-01-30T18:43:05Z", "severity": "HIGH", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-21488
- https://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7
- https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7
- https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5
- https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c
- https://github.com/tomas/network
- https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371
Affected packages
npm / network
Package
- Name
- network
- View open source insights on deps.dev
- Purl
- pkg:npm/network