Arbitrary Code Injection in kmc

Do your applications use this vulnerable package? Test your applications

Overview

kmc is a NodeJS-based KISSY module packaging tool that is currently available for KISSY 1.2+ code package.

Affected versions of the package are vulnerable to Arbitrary Code Injection due to unsafe use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands.

Remediation

There is no fix version for kmc.

References

GitHub Issue
Research Paper - Understanding and Automatically Preventing Injection Attacks on Node.js

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

Low
Integrity

Low
Availability

None

Credit: Cristian-Alexandru Staicu, Michael Pradel, Ben Livshits
CWE: CWE-94
Snyk ID: npm:kmc:20160407
Disclosed: 07 Apr, 2016
Published: 01 May, 2017

Arbitrary Code Injection
Affecting kmc package, ALL versions

Overview

Remediation

References

CVSS Score

Arbitrary Code Injection Affecting kmc package, ALL versions

Overview

Remediation

References

Arbitrary Code Injection
Affecting kmc package, ALL versions