CVE-2018-21268
10
CVSS:3.1/AC:L/AV:N/A:L/C:H/I:H/PR:N/S:C/UI:N
Summary
The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy
- https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/
- https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3
- https://github.com/jaw187/node-traceroute/tags
- https://www.npmjs.com/package/traceroute
- https://www.npmjs.com/advisories/1465
- https://snyk.io/vuln/npm:traceroute:20160311
- https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f
References
- https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy
- https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/
- https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3
- https://github.com/jaw187/node-traceroute/tags
- https://www.npmjs.com/package/traceroute
- https://www.npmjs.com/advisories/1465
- https://snyk.io/vuln/npm:traceroute:20160311
- https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.