CVE-2017-16042 — Growl before 1.10.0 vulnerable to Command Injection

Description

Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

How to fix CVE-2017-16042

To remediate CVE-2017-16042, upgrade the affected package to a fixed version below.

Debian/node-growl—upgrade to 1.10.5-1 or later
—upgrade to 1.10.0 or later

Is CVE-2017-16042 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.10.5-1
from 0, < 1.10.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-16042
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-16042
PATCHgithub.com/tj/node-growl
WEBgithub.com/tj/node-growl/commit/d71177d5331c9de4658aca62e0ac921f178b0669
WEB