1940750 – (CVE-2018-13797) CVE-2018-13797 nodejs-macaddress: improper input validation leading to command injection

Bug 1940750 (CVE-2018-13797) - CVE-2018-13797 nodejs-macaddress: improper input validation leading to command injection

Summary: CVE-2018-13797 nodejs-macaddress: improper input validation leading to comman...

Keywords:
Status:	NEW
Alias:	CVE-2018-13797
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1940751
TreeView+	depends on / blocked

Reported:	2021-03-19 04:56 UTC by Jason Shepherd
Modified:	2024-06-04 10:50 UTC (History)
CC List:	5 users (show)
Fixed In Version:	nodejs-macaddress-0.2.9
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Jason Shepherd 2021-03-19 04:56:55 UTC

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Comment 2 Jason Shepherd 2021-03-19 05:18:34 UTC

Upstream commit:

https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332

Comment 3 Jason Shepherd 2021-03-19 05:21:06 UTC

Statement:

Red Hat Quay uses the macaddress module, but only as a development dependency, not at runtime reducing the impact on that product to low.

Note You need to log in before you can comment on or make changes to this bug.