Arbitrary Command Injection
Affecting printer package, versions <= 0.0.1
Do your applications use this vulnerable package?
Test your applications
Overview
printer does not sanitize command arguments properly in the printDirect()
function. If untrusted client input is passed in, command injection is possible.
Source: Node Security Project
Remediation
Upgrade to version > 0.0.1 which is available on github at https://github.com/tojocky/node-printer
References
- https://github.com/tojocky/node-printer
- https://github.com/tojocky/node-printer/commit/e001e38738c17219a1d9dd8c31f7d82b9c0013c7
Special thanks to Wes Cruver for providing a pull request!
Snyk patch available for versions:
- <= 0.0.1
View patch
View patch
CVSS Score
6.5
medium severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityNone
- Credit
- Adam Baldwin
- CVE
- CVE-2014-3741
- CWE
- CWE-77
- Snyk ID
- npm:printer:20140306
- Disclosed
- 06 Mar, 2014
- Published
- 06 Mar, 2014