Command Injection in corenlp-js-prefab

Do your applications use this vulnerable package? Test your applications

Overview

corenlp-js-prefab is a deprecated package. Uses corenlp-js-interface with a simple prefab function so you only have to send text no extra parameters with each call.

Affected versions of this package are vulnerable to Command Injection via the main function.

PoC

var a=require("corenlp-js-prefab");
a.process("') touch JHU # '");

Remediation

There is no fixed version for corenlp-js-prefab.

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

High
Integrity

High
Availability

High

Credit: JHU System Security Lab
CVE: CVE-2020-28439
CWE: CWE-78
Snyk ID: SNYK-JS-CORENLPJSPREFAB-1050434
Disclosed: 11 Dec, 2020
Published: 11 Dec, 2020

Command Injection
Affecting corenlp-js-prefab package, ALL versions

Overview

PoC

Remediation

CVSS Score

Command Injection Affecting corenlp-js-prefab package, ALL versions

Overview

PoC

Remediation

Command Injection
Affecting corenlp-js-prefab package, ALL versions