CVE-2019-19609

The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
VendorProductVersion
strapistrapi
𝑥
≤ 1.6.4
strapistrapi
3.0.0:alpha10.1
strapistrapi
3.0.0:alpha10.2
strapistrapi
3.0.0:alpha10.3
strapistrapi
3.0.0:alpha11
strapistrapi
3.0.0:alpha11.1
strapistrapi
3.0.0:alpha11.2
strapistrapi
3.0.0:alpha11.3
strapistrapi
3.0.0:alpha12
strapistrapi
3.0.0:alpha12.1
strapistrapi
3.0.0:alpha12.1.3
strapistrapi
3.0.0:alpha12.2
strapistrapi
3.0.0:alpha12.3
strapistrapi
3.0.0:alpha12.4
strapistrapi
3.0.0:alpha12.5
strapistrapi
3.0.0:alpha12.6
strapistrapi
3.0.0:alpha12.7
strapistrapi
3.0.0:alpha12.7.1
strapistrapi
3.0.0:alpha13
strapistrapi
3.0.0:alpha13.0.1
strapistrapi
3.0.0:alpha13.1
strapistrapi
3.0.0:alpha14
strapistrapi
3.0.0:alpha14.1
strapistrapi
3.0.0:alpha14.1.1
strapistrapi
3.0.0:alpha14.2
strapistrapi
3.0.0:alpha14.3
strapistrapi
3.0.0:alpha14.4.0
strapistrapi
3.0.0:alpha14.5
strapistrapi
3.0.0:alpha15
strapistrapi
3.0.0:alpha16
strapistrapi
3.0.0:alpha17
strapistrapi
3.0.0:alpha18
strapistrapi
3.0.0:alpha19
strapistrapi
3.0.0:alpha20
strapistrapi
3.0.0:alpha21
strapistrapi
3.0.0:alpha22
strapistrapi
3.0.0:alpha23
strapistrapi
3.0.0:alpha23.1
strapistrapi
3.0.0:alpha24
strapistrapi
3.0.0:alpha24.1
strapistrapi
3.0.0:alpha25
strapistrapi
3.0.0:alpha25.1
strapistrapi
3.0.0:alpha25.2
strapistrapi
3.0.0:alpha26
strapistrapi
3.0.0:alpha26.1
strapistrapi
3.0.0:alpha26.2
strapistrapi
3.0.0:alpha4
strapistrapi
3.0.0:alpha4.8
strapistrapi
3.0.0:alpha5.3
strapistrapi
3.0.0:alpha5.5
strapistrapi
3.0.0:alpha6.3
strapistrapi
3.0.0:alpha6.4
strapistrapi
3.0.0:alpha6.7
strapistrapi
3.0.0:alpha7.2
strapistrapi
3.0.0:alpha7.3
strapistrapi
3.0.0:alpha8
strapistrapi
3.0.0:alpha8.3
strapistrapi
3.0.0:alpha9
strapistrapi
3.0.0:alpha9.1
strapistrapi
3.0.0:alpha9.2
strapistrapi
3.0.0:beta0
strapistrapi
3.0.0:beta1
strapistrapi
3.0.0:beta10
strapistrapi
3.0.0:beta11
strapistrapi
3.0.0:beta12
strapistrapi
3.0.0:beta13
strapistrapi
3.0.0:beta14
strapistrapi
3.0.0:beta15
strapistrapi
3.0.0:beta16
strapistrapi
3.0.0:beta16.1
strapistrapi
3.0.0:beta16.2
strapistrapi
3.0.0:beta16.3
strapistrapi
3.0.0:beta16.4
strapistrapi
3.0.0:beta16.5
strapistrapi
3.0.0:beta16.6
strapistrapi
3.0.0:beta16.7
strapistrapi
3.0.0:beta16.8
strapistrapi
3.0.0:beta17
strapistrapi
3.0.0:beta17.1
strapistrapi
3.0.0:beta17.2
strapistrapi
3.0.0:beta17.3
strapistrapi
3.0.0:beta17.4
strapistrapi
3.0.0:beta17.5
strapistrapi
3.0.0:beta17.6
strapistrapi
3.0.0:beta17.7
strapistrapi
3.0.0:beta2
strapistrapi
3.0.0:beta3
strapistrapi
3.0.0:beta4
strapistrapi
3.0.0:beta5
strapistrapi
3.0.0:beta6
strapistrapi
3.0.0:beta7
strapistrapi
3.0.0:beta8
strapistrapi
3.0.0:beta9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/163940/Strapi-3.0.0-beta.17.7-Remote-Code-Execution.html
http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html
https://bittherapy.net/post/strapi-framework-remote-code-execution/
https://github.com/strapi/strapi/pull/4636
http://packetstormsecurity.com/files/163940/Strapi-3.0.0-beta.17.7-Remote-Code-Execution.html
http://packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.html
https://bittherapy.net/post/strapi-framework-remote-code-execution/
https://github.com/strapi/strapi/pull/4636