Arbitrary Command Injection

Affecting libnmap package, versions <0.4.16

medium severity

Overview

libnmap is an API to access nmap from node.js.

Affected versions of this package are vulnerable to Arbitrary Command Injection. If the attacker is allowed to provide the "range" field for the network scan, they could inject arbitrary OS commands instead of a valid IP range.

Remediation

Upgrade libnmap to version 0.4.16 or higher.

References

Do your applications use this vulnerable package?

Credit
Cristian-Alexandru Staicu
CVE
CVE-2018-16461
Snyk ID
SNYK-JS-LIBNMAP-72551
Disclosed
14 Oct, 2018
Published
04 Nov, 2018