CVE-2021-32830 — LOW (3.9) — White Hats Nepal

Vulnerability Description

The @diez/generation npm package is a client for Diez. The locateFont method of @diez/generation has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. All versions of this package are vulnerable as of the writing of this CVE.

CVSS Score

3.9

LOW

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Haikuforteams	Diez	-

Related Weaknesses (CWE)

CWE-78 CWE-77

References

https://github.com/diez/diezThird Party Advisory
https://securitylab.github.com/advisories/GHSL-2021-061-diez-generation-cmd-injeExploitThird Party Advisory
https://www.npmjs.com/package/%40diez/generation
https://github.com/diez/diezThird Party Advisory
https://securitylab.github.com/advisories/GHSL-2021-061-diez-generation-cmd-injeExploitThird Party Advisory
https://www.npmjs.com/package/%40diez/generation

FAQ

What is CVE-2021-32830?

CVE-2021-32830 is a vulnerability with a CVSS score of 3.9 (LOW). The @diez/generation npm package is a client for Diez. The locateFont method of @diez/generation has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware...

How severe is CVE-2021-32830?

CVE-2021-32830 has been rated LOW with a CVSS base score of 3.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-32830?

Check the references section above for vendor advisories and patch information. Affected products include: Haikuforteams Diez.