Arbitrary Code Injection

Affecting morgan package, versions <1.9.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

morgan is a HTTP request logger middleware for node.js.

Affected versions of this package are vulnerable to Arbitrary Code Injection. An attacker could use the format parameter to inject arbitrary commands.

Remediation

Upgrade morgan to version 1.9.1 or higher.

References

CVSS Score

6.8
medium severity
  • Attack Vector
    Adjacent
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P
Credit
Unknown
CVE
CVE-2019-5413
CWE
CWE-94
Snyk ID
SNYK-JS-MORGAN-72579
Disclosed
09 Nov, 2018
Published
12 Nov, 2018