Vulnerability Description
Google-it is a Node.js package which allows its users to send search queries to Google and receive the results in a JSON format. When using the 'Open in browser' option in versions up to 1.6.2, google-it will unsafely concat the result's link retrieved from google to a shell command, potentially exposing the server to RCE.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Google-It Project | Google-It | <= 1.6.2 |
Related Weaknesses (CWE)
References
- https://advisory.checkmarx.net/advisory/CX-2021-4777ExploitThird Party Advisory
- https://github.com/PatNeedham/google-it/blob/v1.6.2/lib/googleIt.js#L59ExploitThird Party Advisory
- https://github.com/PatNeedham/google-it/blob/v1.6.2/src/googleIt.js#L34ExploitThird Party Advisory
- https://advisory.checkmarx.net/advisory/CX-2021-4777ExploitThird Party Advisory
- https://github.com/PatNeedham/google-it/blob/v1.6.2/lib/googleIt.js#L59ExploitThird Party Advisory
- https://github.com/PatNeedham/google-it/blob/v1.6.2/src/googleIt.js#L34ExploitThird Party Advisory
FAQ
What is CVE-2021-34083?
CVE-2021-34083 is a vulnerability with a CVSS score of 8.1 (HIGH). Google-it is a Node.js package which allows its users to send search queries to Google and receive the results in a JSON format. When using the 'Open in browser' option in versions up to 1.6.2, google...
How severe is CVE-2021-34083?
CVE-2021-34083 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-34083?
Check the references section above for vendor advisories and patch information. Affected products include: Google-It Project Google-It.