Arbitrary Command Injection

Affecting codem-transcode package, versions <0.5.0

Do your applications use this vulnerable package? Test your applications

Overview

The codem-transcode package supports a feature (off by default) to interact with a local ffprobe. When enabled, POST requests to /probe trigger the execution of the local ffprobe binary, with the provided parameters.

This execution is done using exec, allowing piped requests, and therefore enabling remote command execution. Newer versions use execFile instead, preventing such injection (though still giving attackers to whatever functionality ffprobe supports, and any weaknesses in it).

Note that, by default, the package only listens for such requests from the local network interface, greatly reducing the likelihood of exploitation.

Remediation

Either turn off the ffprobe functionality or upgrade to (at least) version 0.5.0, which address this issue by using execFile instead of exec.

References

CVSS Score

8.1
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Neal Poole
CVE
CVE-2013-7377
CWE
CWE-77
Snyk ID
npm:codem-transcode:20130707
Disclosed
07 Jul, 2013
Published
07 Jul, 2013