CVE-2022-29080

The npm-dependency-versions package through 0.3.0 for Node.js allows command injection if an attacker is able to call dependencyVersions with a JSON object in which pkgs is a key, and there are shell metacharacters in a value.
References
Link Resource
https://github.com/barneycarroll/npm-dependency-versions/issues/6 Exploit Issue Tracking Third Party Advisory
https://www.npmjs.com/package/npm-dependency-versions Product Third Party Advisory
https://github.com/barneycarroll/npm-dependency-versions/issues/6 Exploit Issue Tracking Third Party Advisory
https://www.npmjs.com/package/npm-dependency-versions Product Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:npm-dependency-versions_project:npm-dependency-versions:*:*:*:*:*:node.js:*:*

History

21 Nov 2024, 06:58

Type Values Removed Values Added
References () https://github.com/barneycarroll/npm-dependency-versions/issues/6 - Exploit, Issue Tracking, Third Party Advisory () https://github.com/barneycarroll/npm-dependency-versions/issues/6 - Exploit, Issue Tracking, Third Party Advisory
References () https://www.npmjs.com/package/npm-dependency-versions - Product, Third Party Advisory () https://www.npmjs.com/package/npm-dependency-versions - Product, Third Party Advisory

08 Aug 2023, 14:21

Type Values Removed Values Added
CWE CWE-77 CWE-78

Information

Published : 2022-04-12 05:15

Updated : 2024-11-21 06:58


NVD link : CVE-2022-29080

Mitre link : CVE-2022-29080

CVE.ORG link : CVE-2022-29080


JSON object : View

Products Affected

npm-dependency-versions_project

  • npm-dependency-versions
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')