Vulnerability Description
The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.
CVSS Score
9.8
CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Node-Macaddress Project | Node-Macaddress | < 0.2.9 |
Related Weaknesses (CWE)
References
- https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fPatchThird Party Advisory
- https://github.com/scravy/node-macaddress/pull/20/Third Party Advisory
- https://github.com/scravy/node-macaddress/releases/tag/0.2.9PatchRelease NotesThird Party Advisory
- https://news.ycombinator.com/item?id=17283394ExploitThird Party Advisory
- https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fPatchThird Party Advisory
- https://github.com/scravy/node-macaddress/pull/20/Third Party Advisory
- https://github.com/scravy/node-macaddress/releases/tag/0.2.9PatchRelease NotesThird Party Advisory
- https://news.ycombinator.com/item?id=17283394ExploitThird Party Advisory
FAQ
What is CVE-2018-13797?
CVE-2018-13797 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.
How severe is CVE-2018-13797?
CVE-2018-13797 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-13797?
Check the references section above for vendor advisories and patch information. Affected products include: Node-Macaddress Project Node-Macaddress.