CVE-2018-3772

Summary

Concatenating unsanitized user input in the whereis npm module < 0.4.1 allowed an attacker to execute arbitrary commands. The whereis module is deprecated and it is recommended to use the which npm module instead.

Affected Software

VendorProductVersion RangeStatus
https://github.com/vvowhereis>= 0.4.1affected

Weaknesses

  • CWE-77: Command Injection - Generic (CWE-77)

ADP Enrichment

CVE Program Container

Additional References

References