Command Injection in node-prompt-here

Do your applications use this vulnerable package? Test your applications

Overview

node-prompt-here is a package to open a console window at given absolute directory.

Affected versions of this package are vulnerable to Command Injection. The runCommand() is called by getDevices() function in file linux/manager.js, which is required by the index. process.env.NM_CLI in the file "linux/manager.js" . This function is used to construct the argument of function execSync(), which can be controlled by users without any sanitization.

PoC

process.env.NM_CLI = 'echo vulnerable > create.txt & nmcli';
var root = require("network-manager");
root.getDevices();

Remediation

There is no fixed version for node-prompt-here.

References

Vulnerable Code

Attack Vector

Network
Attack Complexity

High
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

High
Integrity

None
Availability

None

Credit: JHU System Security Lab
CVE: CVE-2020-7602
CWE: CWE-78
Snyk ID: SNYK-JS-NODEPROMPTHERE-560115
Disclosed: 13 Mar, 2020
Published: 13 Mar, 2020

Command Injection
Affecting node-prompt-here package, ALL versions

Overview

PoC

Remediation

References

CVSS Score

Command Injection Affecting node-prompt-here package, ALL versions

Overview

PoC

Remediation

References

Command Injection
Affecting node-prompt-here package, ALL versions