Vulnerability Details CVE-2018-21268
The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.065
EPSS Ranking 90.7%
CVSS Severity
CVSS v3 Score 10.0
CVSS v2 Score 7.5
References
- https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f
- https://github.com/jaw187/node-traceroute/tags
- https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3
- https://snyk.io/vuln/npm:traceroute:20160311
- https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy
- https://www.npmjs.com/advisories/1465
- https://www.npmjs.com/package/traceroute
- https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/
- https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f
- https://github.com/jaw187/node-traceroute/tags
- https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3
- https://snyk.io/vuln/npm:traceroute:20160311
- https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy
- https://www.npmjs.com/advisories/1465
- https://www.npmjs.com/package/traceroute
- https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/
Products affected by CVE-2018-21268
-
cpe:2.3:a:traceroute_project:traceroute:0.0.1
-
cpe:2.3:a:traceroute_project:traceroute:0.0.2
-
cpe:2.3:a:traceroute_project:traceroute:0.0.3
-
cpe:2.3:a:traceroute_project:traceroute:1.0.0