Vulnerability Details CVE-2024-21488
Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.017
EPSS Ranking 81.8%
CVSS Severity
CVSS v3 Score 7.3
References
- https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c
- https://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7
- https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7
- https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5
- https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371
- https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c
- https://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7
- https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7
- https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5
- https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371