Arbitrary Code Injection in growl

Do your applications use this vulnerable package? Test your applications

Overview

growl is a package adding Growl support for Nodejs.

Affected versions of this package are vulnerable to Arbitrary Code Injection due to unsafe use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands.

Remediation

Upgrade growl to version 1.10.0 or higher.

References

GitHub Commit
GitHub Comparison
GitHub Issue
GitHub Release Notes
Research Paper - Understanding and Automatically Preventing Injection Attacks on Node.js

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

High
Integrity

High
Availability

High

Credit: Cristian-Alexandru Staicu, Michael Pradel, Ben Livshits
CVE: CVE-2017-16042
CWE: CWE-94
Snyk ID: npm:growl:20160721
Disclosed: 21 Jul, 2016
Published: 01 May, 2017

Arbitrary Code Injection
Affecting growl package, versions <1.10.0

Overview

Remediation

References

CVSS Score

Arbitrary Code Injection Affecting growl package, versions <1.10.0

Overview

Remediation

References

Arbitrary Code Injection
Affecting growl package, versions <1.10.0