PT-2021-15454 · Madge · Madge

Alessio Della Libera

Published

2021-03-09

Updated

2021-03-13

CVE-2021-23352

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions madge versions prior to 4.0.1

Description The issue affects the madge package, allowing an attacker to specify a custom Graphviz path via the graphVizPath option parameter. When the .image(), .svg(), or .dot() functions are called, the specified path is executed by the childprocess.exec function. This could potentially lead to arbitrary command execution.

Recommendations For madge versions prior to 4.0.1, consider disabling the childprocess.exec function or restricting the use of the graphVizPath option parameter until a patch is available. Avoid using the graphVizPath option parameter in the affected API endpoints until the issue is resolved. Update to version 4.0.1 or later to resolve the issue.

Exploit

Fix

SQL injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89CWE-77

Related Identifiers

CVE-2021-23352

GHSA-753C-PHHG-CJ29

SNYK-JS-MADGE-1082875

Affected Products

Madge

PT-2021-15454 · Madge · Madge

CVE-2021-23352

Weakness Enumeration

Related Identifiers

Affected Products

References · 10