PT-2019-15885 · Strapi · Strapi

Slackr

Publicado

2019-12-05

Atualizado

2021-12-10

CVE-2019-19609

CVSS v2.0

9.0

Alta

Vetor

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Strapi framework versions prior to 3.0.0-beta.17.8

Description The issue allows for Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel. This is due to the lack of sanitization of the plugin name, enabling attackers to inject arbitrary shell commands. These commands are then executed by the execa function.

Recommendations For versions prior to 3.0.0-beta.17.8, update to version 3.0.0-beta.17.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the Install and Uninstall Plugin components of the Admin panel to minimize the risk of exploitation.

Exploit

Correção

RCE

OS Command Injection

Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-78CWE-20CWE-77

Identificadores relacionados

CVE-2019-19609

GHSA-49VV-6Q7Q-W5CF

GHSA-9P2W-RMX4-9MW7

Produtos afetados

Strapi

PT-2019-15885 · Strapi · Strapi

CVE-2019-19609

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 16