CVE-2018-3786
published 2018-08-24CVE-2018-3786: A command injection vulnerability in egg-scripts <v2.8.1 allows arbitrary shell command execution through a maliciously crafted command line argument.
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
12.28%
95.7th percentile
A command injection vulnerability in egg-scripts <v2.8.1 allows arbitrary shell command execution through a maliciously crafted command line argument.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| egg | egg-scripts | — | — |
| egg | egg-scripts | >= 0 < 2.8.1 | 2.8.1 |
| eggjs | egg-scripts | < 2.8.1 | 2.8.1 |
| xkbcommon | libxkbcommon | >= 0 < 0.8.0-1ubuntu0.1 | 0.8.0-1ubuntu0.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Command Injection in standard-version
osv·2020-07-13·CVSS 9.8
[CRITICAL] Command Injection in standard-version
Command Injection in standard-version
# GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2020-111`
The [GitHub Security Lab](https://securitylab.github.com) team has identified a potential security vulnerability in [standard-version](https://github.com/conventional-changelog/standard-version).
## Summary
The `standardVersion` function has a command injection vulnerability. Clients of the `standard-version` library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
## Product
Standard Version
## Tested Version
Commit [2f04ac8](https://github.com/conventional-changelog/standard-version/tree/2f04ac8fc1c134a1981c23a093d4eece77d0bbb9/)
## Details
### Issue 1: Command injection in `standardVersion`
The following proof-of-concept i
GHSA
Command Injection in standard-version
ghsa·2020-07-13·CVSS 9.8
[CRITICAL] CWE-77 Command Injection in standard-version
Command Injection in standard-version
# GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2020-111`
The [GitHub Security Lab](https://securitylab.github.com) team has identified a potential security vulnerability in [standard-version](https://github.com/conventional-changelog/standard-version).
## Summary
The `standardVersion` function has a command injection vulnerability. Clients of the `standard-version` library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
## Product
Standard Version
## Tested Version
Commit [2f04ac8](https://github.com/conventional-changelog/standard-version/tree/2f04ac8fc1c134a1981c23a093d4eece77d0bbb9/)
## Details
### Issue 1: Command injection in `standardVersion`
The following proof-of-concept i
OSV
libxkbcommon vulnerabilities
osv·2018-11-06·CVSS 5.5
CVE-2018-15853 libxkbcommon vulnerabilities
libxkbcommon vulnerabilities
USN-3786-1 fixed several vulnerabilities in libxkbcommon. This
update provides the corresponding update for Ubuntu 18.04 LTS.
Original advisory details:
It was discovered that libxkbcommon incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2018-15853, CVE-2018-15854, CVE-2018-15855, CVE-2018-15856,
CVE-2018-15857, CVE-2018-15858, CVE-2018-15859, CVE-2018-15861,
CVE-2018-15862, CVE-2018-15863, CVE-2018-15864)
GHSA
Command Injection in egg-scripts
ghsa·2018-09-17
CVE-2018-3786 [CRITICAL] CWE-77 Command Injection in egg-scripts
Command Injection in egg-scripts
Versions of `egg-scripts` before 2.8.1 are vulnerable to command injection. This is only exploitable if a malicious argument is provided on the command line.
Example:
`eggctl start --daemon --stderr='/tmp/eggctl_stderr.log; touch /tmp/malicious'`
## Recommendation
Update to version 2.8.1 or later.
OSV
Command Injection in egg-scripts
osv·2018-09-17
CVE-2018-3786 [CRITICAL] Command Injection in egg-scripts
Command Injection in egg-scripts
Versions of `egg-scripts` before 2.8.1 are vulnerable to command injection. This is only exploitable if a malicious argument is provided on the command line.
Example:
`eggctl start --daemon --stderr='/tmp/eggctl_stderr.log; touch /tmp/malicious'`
## Recommendation
Update to version 2.8.1 or later.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2018-08-24
Published