CVE-2018-13797 Information

Description

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw due to allowing unsanitized input to an exec (rather than execFile) call.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332 https://github.com/scravy/node-macaddress/pull/20/ https://github.com/scravy/node-macaddress/releases/tag/0.2.9 https://news.ycombinator.com/item?id=17283394

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8