Vulnerability Details : CVE-2014-7192
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application Developer and other products, allows remote attackers to execute arbitrary code via a crafted file.
Vulnerability category: Execute code
Products affected by CVE-2014-7192
- cpe:2.3:a:joyent:node.js:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-7192
25.35%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-7192
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
CWE ids for CVE-2014-7192
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-7192
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/96728
Node.js syntax-error module eval() code execution CVE-2014-7192 Vulnerability Report
-
https://github.com/substack/node-syntax-error/commit/9aa4e66eb90ec595d2dba55e6f9c2dd9a668b309
use eval() with early throw instead of Function() to prevent script i… · browserify/syntax-error@9aa4e66 · GitHubExploit
-
http://www-01.ibm.com/support/docview.wss?uid=swg21690815
IBM Security Bulletin: Multiple vulnerabilities in modules from the IBM SDK for Node.js affect the Cordova tools in IBM Rational Application Developer (CVE-2014-7191 and CVE-2014-7192)
-
https://nodesecurity.io/advisories/syntax-error-potential-script-injection
npmVendor Advisory
Jump to