Vulnerability Details : CVE-2023-40582
find-exec is a utility to discover available shell commands. Versions prior to 1.0.3 did not properly escape user input and are vulnerable to Command Injection via an attacker controlled parameter. As a result, attackers may run malicious shell commands in the context of the running process. This issue has been addressed in version 1.0.3. users are advised to upgrade. Users unable to upgrade should ensure that all input passed to find-exec comes from a trusted source.
Products affected by CVE-2023-40582
- cpe:2.3:a:find-exec_project:find-exec:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-40582
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-40582
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2023-40582
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-40582
-
https://github.com/shime/find-exec/security/advisories/GHSA-95rp-6gqp-6622
Command Injection Vulnerability in find-exec · Advisory · shime/find-exec · GitHubVendor Advisory
-
https://github.com/shime/find-exec/commit/74fb108097c229b03d6dba4cce81e36aa364b51c
Start using shell quote · shime/find-exec@74fb108 · GitHubPatch
Jump to