Vulnerability Details : CVE-2018-13797
Potential exploit
The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.
Products affected by CVE-2018-13797
- cpe:2.3:a:node-macaddress_project:node-macaddress:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-13797
11.81%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 93 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-13797
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2018-13797
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-13797
-
https://github.com/scravy/node-macaddress/releases/tag/0.2.9
Release v0.2.9 · scravy/node-macaddress · GitHubRelease Notes;Patch;Third Party Advisory
-
https://news.ycombinator.com/item?id=17283394
Critical vulnerability of NPM package macaddress | Hacker NewsExploit;Third Party Advisory
-
https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332
Merge pull request #20 from flypapertech/fixCommandInjection · scravy/node-macaddress@358fd59 · GitHubPatch;Third Party Advisory
-
https://github.com/scravy/node-macaddress/pull/20/
Fixes arbitrary command injection by using execFile instead of exec by Logikgate · Pull Request #20 · scravy/node-macaddress · GitHubThird Party Advisory
Jump to