CVE-2018-21268 — Injection in Project Traceroute

CWE-74 — Injection3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

6.5%

top 8.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Traceroute Project Traceroute

Timeline

PublishedJun 25

Latest updateMay 24

Description

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDtraceroute_project/traceroute1.0.0

▶npmtraceroute_project/traceroute1.0.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Node-Traceroute RCE Vulnerability↗2022-05-24

▶

GHSA

Node-Traceroute RCE Vulnerability↗2022-05-24

▶