Description

im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the "exec" argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the "exec" function.

Remediation

References

https://github.com/Turistforeningen/node-im-metadata/commit/ea15dddbe0f65694bfde36b78dd488e90f246639

https://snyk.io/vuln/SNYK-JS-IMMETADATA-544184

Related Vulnerabilities

CVE-2021-21379 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rendering-wikimacro-store

CVE-2023-30517 Vulnerability in maven package io.jenkins.plugins:neuvector-vulnerability-scanner

CVE-2021-46708 Vulnerability in npm package swagger-ui

CVE-2022-22963 Vulnerability in maven package org.springframework.cloud:spring-cloud-function-core

CVE-2021-28163 Vulnerability in maven package org.eclipse.jetty:jetty-deploy

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit