CVE-2024-21488

EUVD-2024-0440
Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
snykCNA
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 84%
Affected Products (NVD)
VendorProductVersion
forkhqnetwork
𝑥
< 0.7.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c
https://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7
https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7
https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5
https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371
https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c
https://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7
https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7
https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5
https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371