Description

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Remediation

References

https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332

https://github.com/scravy/node-macaddress/pull/20/

https://github.com/scravy/node-macaddress/releases/tag/0.2.9

https://news.ycombinator.com/item?id=17283394

Related Vulnerabilities

CVE-2023-40814 Vulnerability in maven package org.opencrx:opencrx-core-models

CVE-2022-36091 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2021-37137 Vulnerability in maven package io.netty:netty-codec

CVE-2012-4431 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2023-45134 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

Severity

Critical

Classification

CWE-78 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Release Notes Exploit