PT-2019-15885 · Strapi · Strapi

Slackr

Published

2019-12-05

Updated

2021-12-10

CVE-2019-19609

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Strapi framework versions prior to 3.0.0-beta.17.8

Description The issue allows for Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel. This is due to the lack of sanitization of the plugin name, enabling attackers to inject arbitrary shell commands. These commands are then executed by the execa function.

Recommendations For versions prior to 3.0.0-beta.17.8, update to version 3.0.0-beta.17.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the Install and Uninstall Plugin components of the Admin panel to minimize the risk of exploitation.

Exploit

Fix

RCE

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-20CWE-77

Related Identifiers

CVE-2019-19609

GHSA-49VV-6Q7Q-W5CF

GHSA-9P2W-RMX4-9MW7

Affected Products

Strapi

PT-2019-15885 · Strapi · Strapi

CVE-2019-19609

Weakness Enumeration

Related Identifiers

Affected Products

References · 16