@azure/ms-rest-nodeauth@1.0.1 vulnerabilities

Azure Authentication library in node.js with type definitions.

Direct Vulnerabilities

Known vulnerabilities in the @azure/ms-rest-nodeauth package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Command Injection

@azure/ms-rest-nodeauth is an Azure Authentication library in node.js with type definitions.

Affected versions of this package are vulnerable to Command Injection via the child_process function execAz(). This function can be injected with arbitrary OS commands. Attackers can exploit this vulnerability by calling AzureCliCredentials.setDefaultSubscription (OS command) from the Azure CLI.

PoC

auth = require('@azure/ms-rest-nodeauth');
auth.AzureCliCredentials.setDefaultSubscription('$(touch pzhou@shu)');

How to fix Command Injection?

Upgrade @azure/ms-rest-nodeauth to version 3.0.8 or higher.

<3.0.8