Vulnerability Details : CVE-2022-21191
Versions of the package global-modules-path before 3.0.0 are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the getPath function.
Exploit prediction scoring system (EPSS) score for CVE-2022-21191
Probability of exploitation activity in the next 30 days: 0.41%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 73 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2022-21191
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
|
7.4
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
1.4
|
5.9
|
Snyk |
CWE ids for CVE-2022-21191
-
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-21191
-
https://github.com/rosen-vladimirov/global-modules-path/releases/tag/v3.0.0
Release v3.0.0 · rosen-vladimirov/global-modules-path · GitHubThird Party Advisory
-
https://github.com/rosen-vladimirov/global-modules-path/commit/edbdaff077ea0cf295b1469923c06bbccad3c180
fix: do not allow command injection · rosen-vladimirov/global-modules-path@edbdaff · GitHubPatch;Third Party Advisory
-
https://github.com/lorenzomigliorero/npm-node-utils/blob/b55dd81c597db657c9751332bb2242403fd3e26b/index.js%23L186
Page not found · GitHub · GitHubBroken Link;Third Party Advisory
-
https://security.snyk.io/vuln/SNYK-JS-GLOBALMODULESPATH-3167973
Command Injection in global-modules-path | CVE-2022-21191 | SnykThird Party Advisory
Products affected by CVE-2022-21191
- cpe:2.3:a:global-modules-path_project:global-modules-path:*:*:*:*:*:*:*:*