CVE-2024-21488 — HIGH (7.3)

Q: How severe is CVE-2024-21488?

CVE-2024-21488 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-21488?

Check the references section above for vendor advisories and patch information. Affected products include: Forkhq Network.

Vulnerability Description

Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on.

CVSS Score

7.3

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Forkhq	Network	< 0.7.0

Related Weaknesses (CWE)

CWE-77

References

https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369cExploitMitigationThird Party Advisory
https://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7Patch
https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7Patch
https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5Patch
https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371ExploitThird Party Advisory
https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369cExploitMitigationThird Party Advisory
https://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7Patch
https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7Patch
https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5Patch
https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371ExploitThird Party Advisory

FAQ

What is CVE-2024-21488?

CVE-2024-21488 is a vulnerability with a CVSS score of 7.3 (HIGH). Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input...

How severe is CVE-2024-21488?

CVE-2024-21488 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-21488?

Check the references section above for vendor advisories and patch information. Affected products include: Forkhq Network.