Homepage
About Snyk

network-manager@1.0.2 vulnerabilities

A wrapper for nm-cli for managing linux network connection

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the network-manager package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Command Injection

network-manager is a working with ethernet and wifi interfaces.

Affected versions of this package are vulnerable to Command Injection. The runCommand() function within common.js file is called by getDevices() function in file linux/manager.js, which is required by the index.process.env.NM_CLI in the file "linux/manager.js". This is used to construct the argument of function execSync(), which can be controlled by a user without any sanitization.

PoC by JHU System Security Lab

process.env.NM_CLI = 'echo vulnerable > create.txt & nmcli';
var root = require("network-manager");
root.getDevices();

How to fix Command Injection?

There is no fixed version for network-manager.

*
Go back to all versions of this package