CVE-2024-21488

Summary

Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on.

Affected Software

VendorProductVersion RangeStatus
n/anetwork0 < 0.7.0affected
n/aorg.webjars.npm:network0 < *affected

Weaknesses

  • CWE-77: Arbitrary Command Injection

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References