CVE-2021-23378

{"id": "CVE-2021-23378", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-04-18T19:15:12.717", "references": [{"url": "https://github.com/luisivan/node-picotts/blob/8c6b183b884890c8e9422f93036b374942398c8b/index.js%23L16", "tags": ["Broken Link"], "source": "report@snyk.io"}, {"url": "https://snyk.io/vuln/SNYK-JS-PICOTTS-1078539", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://github.com/luisivan/node-picotts/blob/8c6b183b884890c8e9422f93036b374942398c8b/index.js%23L16", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://snyk.io/vuln/SNYK-JS-PICOTTS-1078539", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "This affects all versions of package picotts. If attacker-controlled user input is given to the say function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization."}, {"lang": "es", "value": "Esto afecta a todas las versiones de los paquetes picotts. Si es proporcionada una entrada de usuario controlada por un atacante para la funci\u00f3n say, es posible para un atacante ejecutar comandos arbitrarios. Esto es debido al uso de la funci\u00f3n exec child_process sin un saneamiento de la entrada"}], "lastModified": "2024-11-21T05:51:36.363", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:picotts_project:picotts:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "49F787C4-D6FB-4B6B-9C59-AAA55BD0E747"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}