Description

Concatenating unsanitized user input in the `whereis` npm module < 0.4.1 allowed an attacker to execute arbitrary commands. The `whereis` module is deprecated and it is recommended to use the `which` npm module instead.

Remediation

References

https://hackerone.com/reports/319476

Related Vulnerabilities

CVE-2018-12432 Vulnerability in maven package net.bull.javamelody:javamelody-core

CVE-2019-5427 Vulnerability in maven package c3p0:c3p0

CVE-2020-7777 Vulnerability in npm package jsen

CVE-2023-38687 Vulnerability in npm package svelecte

CVE-2021-44906 Vulnerability in maven package org.webjars.npm:minimist

Severity

Critical

Classification

CWE-77 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory