Arbitrary Code Injection in mongo-edit

Do your applications use this vulnerable package? Test your applications

Overview

mongo-edit is a Log Utility.

Affected versions of the package are vulnerable to Arbitrary Code Injection due to unsafe use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands.

Remediation

There is no fix version for mongo-edit.

References

GitHub Issue
Research Paper - Understanding and Automatically Preventing Injection Attacks on Node.js

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

Low
Integrity

Low
Availability

None

Credit: Cristian-Alexandru Staicu, Michael Pradel, Ben Livshits
CWE: CWE-94
Snyk ID: npm:mongo-edit:20160408
Disclosed: 08 Apr, 2016
Published: 01 May, 2017

Arbitrary Code Injection
Affecting mongo-edit package, ALL versions

Overview

Remediation

References

CVSS Score

Arbitrary Code Injection Affecting mongo-edit package, ALL versions

Overview

Remediation

References

Arbitrary Code Injection
Affecting mongo-edit package, ALL versions