CVE-2024-21488
published 2024-01-30CVE-2024-21488: Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.23%
86.7th percentile
Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| forkhq | network | < 0.7.0 | 0.7.0 |
| forkhq | network | >= 0 < 0.7.0 | 0.7.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
network Arbitrary Command Injection vulnerability
osv·2024-01-30
CVE-2024-21488 [HIGH] network Arbitrary Command Injection vulnerability
network Arbitrary Command Injection vulnerability
Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the `child_process` exec function without input sanitization. If (attacker-controlled) user input is given to the `mac_address_for` function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.
GHSA
network Arbitrary Command Injection vulnerability
ghsa·2024-01-30
CVE-2024-21488 [HIGH] CWE-77 network Arbitrary Command Injection vulnerability
network Arbitrary Command Injection vulnerability
Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the `child_process` exec function without input sanitization. If (attacker-controlled) user input is given to the `mac_address_for` function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369chttps://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369chttps://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371
2024-01-30
Published