1.10.0
CVE-2017-16042 describes a Command Injection vulnerability present in the growl Node.js module. This flaw allows attackers to execute arbitrary commands on the system due to insufficient input sanitization. The vulnerability impacts versions of growl before 1.10.0, and a patch is available in version 1.10.0 and later.
The impact of this vulnerability is severe. An attacker who can exploit CVE-2017-16042 can gain complete control over the affected system. This could involve executing malicious code, stealing sensitive data, installing malware, or pivoting to other systems on the network. The ability to inject arbitrary commands bypasses standard security controls and allows for a wide range of malicious activities. Given the module's potential use in notification systems, an attacker could potentially leverage this to gain access to critical infrastructure or sensitive user data.
CVE-2017-16042 was publicly disclosed on June 8, 2018. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the ease of exploitation and the potential for significant impact make it a persistent risk. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are available, demonstrating the ease with which an attacker can execute arbitrary commands.
Applications and systems that rely on the growl Node.js module for notification functionality are at risk. This includes development environments, production servers, and any system where the module is integrated into custom applications. Specifically, systems that process untrusted user input and pass it directly to the growl module are particularly vulnerable.
• nodejs / server:
npm list growlIf the output shows a version less than 1.10.0, the system is vulnerable. • nodejs / server:
find / -name "growl*" -type d -printThis command searches for the growl module directory. Check the version within the directory. • nodejs / server:
npm audit | grep growlThis command checks for known vulnerabilities in the growl module using npm audit.
discovery
disclosure
patch
漏洞利用状态
EPSS
0.35% (57% 百分位)
CVSS 向量
The primary mitigation for CVE-2017-16042 is to upgrade the growl Node.js module to version 1.10.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and sanitization on any user-supplied data passed to the growl module. While a direct WAF rule is unlikely, implementing strict input validation within your application logic can help prevent command injection attempts. After upgrading, confirm the fix by attempting to trigger the vulnerable functionality with malicious input and verifying that the command is not executed.
暂无官方补丁。请查找临时解决方案或持续关注更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2017-16042 is a critical vulnerability in the growl Node.js module that allows attackers to execute arbitrary commands due to insufficient input sanitization.
You are affected if you are using a version of the growl Node.js module prior to 1.10.0. Check your installed version using npm list growl.
Upgrade the growl Node.js module to version 1.10.0 or later using npm install growl@latest.
While no active campaigns have been definitively linked, the vulnerability's ease of exploitation makes it a persistent risk.
Refer to the npm advisory for CVE-2017-16042: https://www.npmjs.com/advisories/791