1940750 – (CVE-2018-13797) CVE-2018-13797 nodejs-macaddress: improper input validation leading to command injection

Bug 1940750 (CVE-2018-13797) - CVE-2018-13797 nodejs-macaddress: improper input validation leading to command injection

Summary: CVE-2018-13797 nodejs-macaddress: improper input validation leading to comman...

Keywords:
Status:	NEW
Alias:	CVE-2018-13797
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1940751
TreeView+	depends on / blocked

Reported:	2021-03-19 04:56 UTC by Jason Shepherd
Modified:	2023-10-25 17:21 UTC (History)
CC List:	6 users (show)
Fixed In Version:	nodejs-macaddress-0.2.9
Doc Type:	---
Doc Text:	A flaw was found in nodejs-macaddress. The module allows unsanitized input to an exec call which can lead to an arbitrary command injection flaw. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Jason Shepherd 2021-03-19 04:56:55 UTC

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Comment 2 Jason Shepherd 2021-03-19 05:18:34 UTC

Upstream commit:

https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332

Comment 3 Jason Shepherd 2021-03-19 05:21:06 UTC

Statement:

Red Hat Quay uses the macaddress module, but only as a development dependency, not at runtime reducing the impact on that product to low.

Note You need to log in before you can comment on or make changes to this bug.