GHSA-w725-67p7-xv22 – local-devices

Package

Manager: npm
Name: local-devices
Vulnerable Version: >=0 <3.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Command Injection in local-devices Versions of `local-devices` prior to 3.0.0 are vulnerable to Command Injection. The package does not validate input on ip addresses and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system. ## Recommendation Upgrade to version 3.0.0 or later.

Metadata

Created: 2020-09-03T17:05:04Z
Modified: 2021-09-28T17:35:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-w725-67p7-xv22/GHSA-w725-67p7-xv22.json
CWE IDs: ["CWE-77"]
Alternative ID: N/A
Finding: F422
Auto approve: 1