Arbitrary Code Injection

Affecting morgan package, versions <1.9.1

Overview

morgan is a HTTP request logger middleware for node.js.

Affected versions of this package are vulnerable to Arbitrary Code Injection. An attacker could use the format parameter to inject arbitrary commands.

Remdiation

Upgrade morgan to version 1.9.1 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

6.8
medium severity
  • Attack Vector
    Adjacent
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P
Credit
Unknown
CWE
CWE-94
Snyk ID
SNYK-JS-MORGAN-72579
Disclosed
09 Nov, 2018
Published
12 Nov, 2018