CVE-2018-21268

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.
Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
mitreCNA
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AC:L/AV:N/A:L/C:H/I:H/PR:N/S:C/UI:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
VendorProductVersion
traceroute_projecttraceroute
𝑥
≤ 1.0.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f
https://github.com/jaw187/node-traceroute/tags
https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3
https://snyk.io/vuln/npm:traceroute:20160311
https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy
https://www.npmjs.com/advisories/1465
https://www.npmjs.com/package/traceroute
https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/
https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f
https://github.com/jaw187/node-traceroute/tags
https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3
https://snyk.io/vuln/npm:traceroute:20160311
https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy
https://www.npmjs.com/advisories/1465
https://www.npmjs.com/package/traceroute
https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/