whereis
Corrigido em
0.4.1
CVE-2018-3772 describes a command injection vulnerability affecting versions of whereis prior to 0.4.1 within NodeJS environments. This flaw allows attackers to execute arbitrary commands on the system if untrusted user input is passed to the whereis utility. The vulnerability was published on July 31, 2018, and a fix is available in version 0.4.1.
The impact of this command injection vulnerability is severe. An attacker who can inject commands can gain complete control over the NodeJS process and potentially the underlying system. This could lead to data breaches, system compromise, and denial of service. The attacker could read sensitive files, install malware, or pivot to other systems on the network. The ability to execute arbitrary commands makes this a high-risk vulnerability, especially in environments where whereis is used to locate files based on user-supplied input.
This vulnerability is considered critical due to the ease of exploitation and the potential impact. While no active exploitation campaigns have been publicly reported, the simplicity of command injection vulnerabilities often makes them attractive targets. The vulnerability was disclosed publicly on July 31, 2018, and is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge if they don't already exist.
Applications and services built on NodeJS that utilize the whereis package are at risk. This includes applications that dynamically locate files based on user input or configuration data. Projects using older versions of NodeJS or those with inadequate input validation are particularly vulnerable.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -eq 'node'}• nodejs / supply-chain:
Get-WinEvent -LogName Application -Filter "EventID = 4294967295" -MaxEvents 10 | Select-String -Pattern "whereis"disclosure
Status do Exploit
EPSS
0.59% (percentil 69%)
Vetor CVSS
The primary mitigation for CVE-2018-3772 is to upgrade to version 0.4.1 or later of the whereis package within your NodeJS project. If upgrading is not immediately feasible, consider implementing input validation and sanitization to prevent untrusted data from being passed to whereis. Additionally, restrict the permissions of the NodeJS process to minimize the potential damage from a successful exploit. After upgrading, confirm the fix by attempting to execute a command through whereis with malicious input; it should be properly sanitized and not execute.
Nenhum patch oficial disponível. Procure alternativas ou monitore atualizações.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2018-3772 is a critical command injection vulnerability in NodeJS whereis versions before 0.4.1, allowing attackers to execute arbitrary commands.
You are affected if you are using NodeJS whereis versions earlier than 0.4.1 and are passing untrusted input to the whereis utility.
Upgrade to version 0.4.1 or later of the whereis package. Implement input validation as a temporary workaround if upgrading is not immediately possible.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's ease of exploitation makes it a potential target.
Refer to the relevant security advisories and documentation from the NodeJS community and the whereis package maintainers for detailed information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.