PT-2020-8911 · Unknown · Traceroute

Published

2020-06-25

Updated

2022-05-24

CVE-2018-21268

CVSS v3.1

Critical

Vector

AC:L/AV:N/A:L/C:H/I:H/PR:N/S:C/UI:N

Name of the Vulnerable Software and Affected Versions traceroute (aka node-traceroute) versions through 1.0.0

Description The issue allows remote command injection via the host parameter. This occurs because the Child.exec() method is used, which is considered not entirely safe. An OS command can be placed after a newline character.

Recommendations For versions through 1.0.0, consider disabling the Child.exec() method until a patch is available. Restrict access to the host parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Exploit

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

CVE-2018-21268

GHSA-8J9V-QHP4-WV55

Affected Products

Traceroute

PT-2020-8911 · Unknown · Traceroute

CVE-2018-21268

Weakness Enumeration

Related Identifiers

Affected Products

References · 17