CVE-2018-13797
published 2018-07-10CVE-2018-13797: The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than…
PriorityP259critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
6.66%
93.1th percentile
The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-macaddress | < node-macaddress 0.2.9-1 (bookworm) | node-macaddress 0.2.9-1 (bookworm) |
| node-macaddress_project | node-macaddress | < 0.2.9 | 0.2.9 |
| node-macaddress_project | node-macaddress | >= 0 < 0.2.9-1 | 0.2.9-1 |
| node-macaddress_project | node-macaddress | >= 0 < 0.2.9-1 | 0.2.9-1 |
| node-macaddress_project | node-macaddress | >= 0 < 0.2.9-1 | 0.2.9-1 |
| node-macaddress_project | node-macaddress | >= 0 < 0.2.9-1 | 0.2.9-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability arises from use of `exec` instead of `execFile` for running system commands with unsanitized user input in the macaddress Node.js module — monitor for unexpected shell metacharacters or command chaining in network interface name inputs passed to the macaddress module. ↗
- →The fix was introduced in macaddress module version 0.2.9 — flag any Node.js environments still running macaddress versions prior to 0.2.9. ↗
- →The upstream patch commit can be used as a reference diff to identify unpatched deployments or backport status: https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332 ↗
- ·Red Hat Quay uses the macaddress module only as a development dependency, not at runtime — runtime exploitation risk for that product is reduced. ↗
- ·The vulnerability's scope is local per Debian's security tracker, limiting remote exploitation vectors. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Command Injection in standard-version
osv·2020-07-13·CVSS 9.8
[CRITICAL] Command Injection in standard-version
Command Injection in standard-version
# GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2020-111`
The [GitHub Security Lab](https://securitylab.github.com) team has identified a potential security vulnerability in [standard-version](https://github.com/conventional-changelog/standard-version).
## Summary
The `standardVersion` function has a command injection vulnerability. Clients of the `standard-version` library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
## Product
Standard Version
## Tested Version
Commit [2f04ac8](https://github.com/conventional-changelog/standard-version/tree/2f04ac8fc1c134a1981c23a093d4eece77d0bbb9/)
## Details
### Issue 1: Command injection in `standardVersion`
The following proof-of-concept i
GHSA
Command Injection in standard-version
ghsa·2020-07-13·CVSS 9.8
[CRITICAL] CWE-77 Command Injection in standard-version
Command Injection in standard-version
# GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2020-111`
The [GitHub Security Lab](https://securitylab.github.com) team has identified a potential security vulnerability in [standard-version](https://github.com/conventional-changelog/standard-version).
## Summary
The `standardVersion` function has a command injection vulnerability. Clients of the `standard-version` library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
## Product
Standard Version
## Tested Version
Commit [2f04ac8](https://github.com/conventional-changelog/standard-version/tree/2f04ac8fc1c134a1981c23a093d4eece77d0bbb9/)
## Details
### Issue 1: Command injection in `standardVersion`
The following proof-of-concept i
GHSA
Command Injection in macaddress
ghsa·2018-09-06
CVE-2018-13797 [CRITICAL] CWE-78 Command Injection in macaddress
Command Injection in macaddress
All versions of `macaddress` are vulnerable to command injection. For this vulnerability to be exploited an attacker needs to control the `iface` argument to the `one` method.
## Recommendation
Update to version 0.2.9 or later.
OSV
Command Injection in macaddress
osv·2018-09-06
CVE-2018-13797 [CRITICAL] Command Injection in macaddress
Command Injection in macaddress
All versions of `macaddress` are vulnerable to command injection. For this vulnerability to be exploited an attacker needs to control the `iface` argument to the `one` method.
## Recommendation
Update to version 0.2.9 or later.
OSV
CVE-2018-13797: The macaddress module before 0
osv·2018-07-10·CVSS 9.8
CVE-2018-13797 [CRITICAL] CVE-2018-13797: The macaddress module before 0
The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.
Red Hat
nodejs-macaddress: improper input validation leading to command injection
vendor_redhat·2018-06-11·CVSS 9.8
CVE-2018-13797 [CRITICAL] CWE-20 nodejs-macaddress: improper input validation leading to command injection
nodejs-macaddress: improper input validation leading to command injection
The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.
A flaw was found in nodejs-macaddress. The module allows unsanitized input to an exec call which can lead to an arbitrary command injection flaw. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Statement: Red Hat Quay uses the macaddress module, but only as a development dependency, not at runtime reducing the impact on that product to low.
Package: rhacm2/console-ui-rhel8 (Red Hat Advanced Cluster Management for Kubernetes 2) - Not affected
Package: quay/quay-rhel8 (Red Hat Qua
Debian
CVE-2018-13797: node-macaddress - The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command ...
vendor_debian·2018·CVSS 9.8
CVE-2018-13797 [CRITICAL] CVE-2018-13797: node-macaddress - The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command ...
The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.
Scope: local
bookworm: resolved (fixed in 0.2.9-1)
bullseye: resolved (fixed in 0.2.9-1)
forky: resolved (fixed in 0.2.9-1)
sid: resolved (fixed in 0.2.9-1)
trixie: resolved (fixed in 0.2.9-1)
No detection rules found.
No public exploits indexed.
https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332https://github.com/scravy/node-macaddress/pull/20/https://github.com/scravy/node-macaddress/releases/tag/0.2.9https://news.ycombinator.com/item?id=17283394https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332https://github.com/scravy/node-macaddress/pull/20/https://github.com/scravy/node-macaddress/releases/tag/0.2.9https://news.ycombinator.com/item?id=17283394
2018-07-10
Published