CVE-2023-40582

CRITICAL9.8EPSS 5.1%

Command Injection Vulnerability in find-exec

發布日:2023/8/30修改日:2023/11/8

描述

Older versions of the package are vulnerable to Command Injection as an attacker controlled parameter. As a result, attackers may run malicious commands. For example: ``` const find = require("find-exec"); find("mplayer; touch hacked") ``` This creates a file named "hacked" on the filesystem. You should never allow users to control commands to find, since this package attempts to run every command provided. Thanks to @miguelafmonteiro for reporting.

受影響套件(1)

npm/find-execfrom 0, < 1.0.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-40582
PATCHhttps://github.com/shime/find-exec
WEBhttps://github.com/shime/find-exec/commit/74fb108097c229b03d6dba4cce81e36aa364b51c
WEBhttps://github.com/shime/find-exec/security/advisories/GHSA-95rp-6gqp-6622