Fix CVE–2017–16042

[debricked]

CVE–2017–16042

Vulnerable dependency:     growl (Yarn)    1.9.2

Vulnerability details

Description

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

NVD

Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.

GitHub

Command Injection in growl

Affected versions of growl do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.

Recommendation

Update to version 1.10.2 or later.

CVSS details - 9.8

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity	High
Availability	High

References

    Unsafe use of exec · Issue #60 · tj/node-growl · GitHub
    fix(lib): fixed command injection vulnerability according to Issue #60 by keymandll · Pull Request #61 · tj/node-growl · GitHub
    nodesecurity.io -&nbspnodesecurity Resources and Information.
    Command Injection in growl · CVE-2017-16042 · GitHub Advisory Database · GitHub
    NVD - CVE-2017-16042

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE