Plattform
nodejs
Komponente
growl
Behoben in
1.10.0
CVE-2017-16042 describes a Command Injection vulnerability present in the growl Node.js module. This flaw allows attackers to execute arbitrary commands on the system due to insufficient input sanitization. The vulnerability impacts versions of growl before 1.10.0, and a patch is available in version 1.10.0 and later.
The impact of this vulnerability is severe. An attacker who can exploit CVE-2017-16042 can gain complete control over the affected system. This could involve installing malware, stealing sensitive data, modifying system configurations, or using the compromised system as a launchpad for further attacks on the network. The ability to execute arbitrary commands effectively grants the attacker root-level access, making it a high-priority security concern. The blast radius extends to any data or services hosted on the compromised server.
CVE-2017-16042 was publicly disclosed on June 8, 2018. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the ease of exploitation and the potential for significant impact make it a persistent risk. Public proof-of-concept exploits are likely to exist or could be developed relatively easily. The vulnerability is not currently listed on the CISA KEV catalog.
Applications and systems that rely on the growl Node.js module for notification functionality are at risk. This includes development environments, production servers, and any system where the module is integrated into custom applications. Specifically, systems that process untrusted user input and pass it directly to the growl module are particularly vulnerable.
• nodejs / server:
npm list growlIf the output shows a version less than 1.10.0, the system is vulnerable. • nodejs / server:
find / -name "growl*" -type d -printThis command searches for the growl module directory. Check the version within the directory. • nodejs / server:
npm audit | grep growlThis command checks for known vulnerabilities in the growl module using npm audit.
discovery
disclosure
patch
Exploit-Status
EPSS
0.35% (57% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2017-16042 is to immediately upgrade the growl Node.js module to version 1.10.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing strict input validation on any data passed to the growl module. While not a complete solution, this can reduce the attack surface. Additionally, review system logs for any suspicious activity related to the growl module. After upgrading, confirm the fix by attempting to trigger the vulnerable functionality with malicious input and verifying that the command is not executed.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2017-16042 is a critical vulnerability in the growl Node.js module that allows attackers to execute arbitrary commands due to insufficient input sanitization.
You are affected if you are using a version of the growl Node.js module prior to 1.10.0. Check your installed version using npm list growl.
Upgrade the growl Node.js module to version 1.10.0 or later using npm install growl@latest.
While no active campaigns have been definitively linked, the vulnerability's ease of exploitation makes it a persistent risk.
Refer to the npm advisory for CVE-2017-16042: https://www.npmjs.com/advisories/791
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.