2166721 – (CVE-2022-21191) CVE-2022-21191 global-modules-path: Command Injection due to missing Input Sanitization

Bug 2166721 (CVE-2022-21191) - CVE-2022-21191 global-modules-path: Command Injection due to missing Input Sanitization

Summary: CVE-2022-21191 global-modules-path: Command Injection due to missing Input Sa...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2022-21191
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2161211
TreeView+	depends on / blocked

Reported:	2023-02-02 18:12 UTC by Patrick Del Bello
Modified:	2023-02-08 15:31 UTC (History)
CC List:	13 users (show)
Fixed In Version:	global-modules-path 3.0.0
Clone Of:
Environment:
Last Closed:	2023-02-08 15:31:35 UTC
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2023-02-02 18:12:38 UTC

Versions of the package global-modules-path before 3.0.0 are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the getPath function.

https://github.com/lorenzomigliorero/npm-node-utils/blob/b55dd81c597db657c9751332bb2242403fd3e26b/index.js%23L186
https://security.snyk.io/vuln/SNYK-JS-GLOBALMODULESPATH-3167973
https://github.com/rosen-vladimirov/global-modules-path/releases/tag/v3.0.0
https://github.com/rosen-vladimirov/global-modules-path/commit/edbdaff077ea0cf295b1469923c06bbccad3c180

Comment 1 Product Security DevOps Team 2023-02-08 15:31:33 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-21191

Note You need to log in before you can comment on or make changes to this bug.