CVE-2021-29369 – @rkesters/gnuplot

Package

Manager: npm
Name: @rkesters/gnuplot
Vulnerable Version: >=0 <0.1.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01099 pctl0.77212

Details

Code injection in @rkesters/gnuplot @rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The gnuplot package prior to version 0.1.0 for Node.js allows code execution via shell metacharacters in Gnuplot commands.

Metadata

Created: 2022-02-10T23:41:49Z
Modified: 2022-05-04T03:05:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-f2jw-pr2c-9x96/GHSA-f2jw-pr2c-9x96.json
CWE IDs: ["CWE-77", "CWE-78"]
Alternative ID: GHSA-f2jw-pr2c-9x96
Finding: F422
Auto approve: 1