PT-2015-4351 · Node.Js · Dns-Sync

Skx

Published

2015-02-28

Updated

2018-07-26

CVE-2014-9682

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions dns-sync module versions prior to 0.1.1

Description The issue allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function. This can be exploited by passing malicious input to the function, potentially leading to unauthorized command execution.

Recommendations For versions prior to 0.1.1, update to version 0.1.1 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing the input to the resolve API function to prevent shell metacharacters from being executed. Restrict access to the resolve function to minimize the risk of exploitation.

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2014-9682

GHSA-Q5PQ-PGRV-FH89

GHSA-WXVM-FH75-MPGR

Affected Products

Dns-Sync

PT-2015-4351 · Node.Js · Dns-Sync

CVE-2014-9682

Weakness Enumeration

Related Identifiers

Affected Products

References · 9