Plattform
nodejs
Komponente
webcrack
Behoben in
2.14.1
2.14.1
CVE-2024-43373 describes an arbitrary file access vulnerability discovered in the webcrack module, a Node.js project. This flaw allows attackers to overwrite files on a Windows host system by exploiting the unpack bundles feature when processing maliciously crafted code. The vulnerability impacts versions of webcrack prior to 2.14.1, and a patch has been released to address the issue.
The primary impact of CVE-2024-43373 is the potential for arbitrary file overwrites on a Windows system. An attacker can leverage this vulnerability by crafting malicious code that exploits the unpack bundles feature in conjunction with the saving feature. By including path traversal sequences (e.g., ../) within the module name, an attacker can bypass security controls and overwrite critical system files or application data. This could lead to system compromise, data loss, or denial of service. The ability to overwrite files grants significant control over the affected system, potentially allowing for the execution of arbitrary code.
CVE-2024-43373 was publicly disclosed on August 14, 2024. There is currently no indication of active exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept code is not widely available, but the vulnerability's nature suggests that it could be relatively easy to exploit once a suitable payload is developed.
Organizations and developers using the webcrack Node.js package in their applications, particularly those deploying on Windows systems, are at risk. This includes developers integrating webcrack into custom tools or applications, and those relying on webcrack within larger Node.js projects. Shared hosting environments where multiple users share the same server are also at increased risk if one user's application is compromised.
• nodejs / server:
find / -name "webcrack" -type d -print0 | xargs -0 ls -l• nodejs / server:
ps aux | grep webcrack• generic web:
Inspect web server access logs for requests containing suspicious file paths or path traversal sequences (e.g., ../).
• generic web:
Review web application code for any instances where user-supplied input is used to construct file paths without proper sanitization.
disclosure
Exploit-Status
EPSS
0.21% (43% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-43373 is to upgrade to webcrack version 2.14.1 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing stricter input validation on the module name parameter within the unpack bundles feature. This should prevent the inclusion of path traversal sequences. Additionally, restrict the permissions of the process running webcrack to minimize the potential impact of a successful exploit. After upgrading, confirm the fix by attempting to trigger the unpack bundles feature with a crafted module name containing path traversal sequences; the operation should fail with an appropriate error.
Actualice la versión de webcrack a la versión 2.14.1 o superior. Esto corrige la vulnerabilidad de escritura arbitraria de archivos. Puede actualizar el paquete utilizando npm o yarn.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-43373 is a HIGH severity vulnerability in webcrack allowing attackers to overwrite files on Windows systems by exploiting the unpack bundles and saving features. It affects versions prior to 2.14.1.
You are affected if you are using webcrack versions prior to 2.14.1 and your application processes user-supplied file paths without proper validation.
Upgrade to webcrack version 2.14.1 or later to remediate the vulnerability. If immediate upgrade is not possible, implement input validation and restrict file system access.
There is currently no indication of active exploitation in the wild, but the vulnerability's nature suggests that exploits are likely to emerge.
Refer to the GitHub repository for webcrack: https://github.com/j4k0xb/webcrack
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.