Vulnerability Details CVE-2021-23352
This affects the package madge before 4.0.1. It is possible to specify a custom Graphviz path via the graphVizPath option parameter which when the .image(), .svg() or .dot() functions are called, is executed by the childprocess.exec function.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 69.3%
CVSS Severity
CVSS v3 Score 8.6
CVSS v2 Score 7.5
References
- https://github.com/pahen/madge/blob/master/lib/graph.js%23L27
- https://github.com/pahen/madge/commit/da5cbc9ab30372d687fa7c324b22af7ffa5c6332
- https://snyk.io/vuln/SNYK-JS-MADGE-1082875
- https://github.com/pahen/madge/blob/master/lib/graph.js%23L27
- https://github.com/pahen/madge/commit/da5cbc9ab30372d687fa7c324b22af7ffa5c6332
- https://snyk.io/vuln/SNYK-JS-MADGE-1082875
Products affected by CVE-2021-23352
-
cpe:2.3:a:madge_project:madge:-
-
cpe:2.3:a:madge_project:madge:0.0.1
-
cpe:2.3:a:madge_project:madge:0.0.2
-
cpe:2.3:a:madge_project:madge:0.0.4
-
cpe:2.3:a:madge_project:madge:0.0.5
-
cpe:2.3:a:madge_project:madge:0.1.0
-
cpe:2.3:a:madge_project:madge:0.1.1
-
cpe:2.3:a:madge_project:madge:0.1.2
-
cpe:2.3:a:madge_project:madge:0.1.3
-
cpe:2.3:a:madge_project:madge:0.1.4
-
cpe:2.3:a:madge_project:madge:0.1.5
-
cpe:2.3:a:madge_project:madge:0.1.6
-
cpe:2.3:a:madge_project:madge:0.1.7
-
cpe:2.3:a:madge_project:madge:0.1.8
-
cpe:2.3:a:madge_project:madge:0.1.9
-
cpe:2.3:a:madge_project:madge:0.2.0
-
cpe:2.3:a:madge_project:madge:0.3.0
-
cpe:2.3:a:madge_project:madge:0.3.1
-
cpe:2.3:a:madge_project:madge:0.3.4
-
cpe:2.3:a:madge_project:madge:0.3.5
-
cpe:2.3:a:madge_project:madge:0.4.1
-
cpe:2.3:a:madge_project:madge:0.5.0
-
cpe:2.3:a:madge_project:madge:0.5.1
-
cpe:2.3:a:madge_project:madge:0.5.2
-
cpe:2.3:a:madge_project:madge:0.5.3
-
cpe:2.3:a:madge_project:madge:0.5.4
-
cpe:2.3:a:madge_project:madge:0.5.5
-
cpe:2.3:a:madge_project:madge:0.6.0
-
cpe:2.3:a:madge_project:madge:1.0.0
-
cpe:2.3:a:madge_project:madge:1.1.0
-
cpe:2.3:a:madge_project:madge:1.2.0
-
cpe:2.3:a:madge_project:madge:1.3.0
-
cpe:2.3:a:madge_project:madge:1.3.1
-
cpe:2.3:a:madge_project:madge:1.3.2
-
cpe:2.3:a:madge_project:madge:1.4.0
-
cpe:2.3:a:madge_project:madge:1.4.1
-
cpe:2.3:a:madge_project:madge:1.4.2
-
cpe:2.3:a:madge_project:madge:1.4.3
-
cpe:2.3:a:madge_project:madge:1.4.4
-
cpe:2.3:a:madge_project:madge:1.4.5
-
cpe:2.3:a:madge_project:madge:1.4.6
-
cpe:2.3:a:madge_project:madge:1.5.0
-
cpe:2.3:a:madge_project:madge:1.6.0
-
cpe:2.3:a:madge_project:madge:2.0.0
-
cpe:2.3:a:madge_project:madge:2.1.0
-
cpe:2.3:a:madge_project:madge:2.2.0
-
cpe:2.3:a:madge_project:madge:3.0.0
-
cpe:2.3:a:madge_project:madge:3.0.1
-
cpe:2.3:a:madge_project:madge:3.1.0
-
cpe:2.3:a:madge_project:madge:3.1.1
-
cpe:2.3:a:madge_project:madge:3.10.0
-
cpe:2.3:a:madge_project:madge:3.11.0
-
cpe:2.3:a:madge_project:madge:3.12.0
-
cpe:2.3:a:madge_project:madge:3.2.0
-
cpe:2.3:a:madge_project:madge:3.3.0
-
cpe:2.3:a:madge_project:madge:3.4.0
-
cpe:2.3:a:madge_project:madge:3.4.1
-
cpe:2.3:a:madge_project:madge:3.4.2
-
cpe:2.3:a:madge_project:madge:3.4.3
-
cpe:2.3:a:madge_project:madge:3.4.4
-
cpe:2.3:a:madge_project:madge:3.5.0
-
cpe:2.3:a:madge_project:madge:3.5.1
-
cpe:2.3:a:madge_project:madge:3.6.0
-
cpe:2.3:a:madge_project:madge:3.7.0
-
cpe:2.3:a:madge_project:madge:3.8.0
-
cpe:2.3:a:madge_project:madge:3.9.0
-
cpe:2.3:a:madge_project:madge:3.9.1
-
cpe:2.3:a:madge_project:madge:3.9.2
-
cpe:2.3:a:madge_project:madge:4.0.0