Arbitrary Command Injection in printer

Do your applications use this vulnerable package? Test your applications

Overview

printer does not sanitize command arguments properly in the printDirect() function. If untrusted client input is passed in, command injection is possible.

Source: Node Security Project

Remediation

Upgrade to version > 0.0.1 which is available on github at https://github.com/tojocky/node-printer

References

https://github.com/tojocky/node-printer
https://github.com/tojocky/node-printer/commit/e001e38738c17219a1d9dd8c31f7d82b9c0013c7

Special thanks to Wes Cruver for providing a pull request!

Snyk patch available for versions:

<= 0.0.1
View patch

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

Low
Integrity

Low
Availability

None

Credit: Adam Baldwin
CVE: CVE-2014-3741
CWE: CWE-77
Snyk ID: npm:printer:20140306
Disclosed: 06 Mar, 2014
Published: 06 Mar, 2014