<p>There is no fixed version for <code>domokeeper</code>.</p>

Arbitrary Code Execution Affecting domokeeper package, versions *

Snyk CVSS

Attack Complexity High

Confidentiality High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-DOMOKEEPER-451513
published 4 Jul 2019
disclosed 4 Jul 2019
credit Vasiliy Ermilov (inkz)

Report a new vulnerability Found a mistake?

Introduced: 4 Jul 2019

CWE-200 Open this link in a new tab CWE-23 Open this link in a new tab CWE-94 Open this link in a new tab

How to fix?

There is no fixed version for domokeeper.

Overview

domokeeper is a pluggable domotic control server for Raspberry Pi 2/3.

Affected versions of this package are vulnerable to Arbitrary Code Execution. The path to required module is passed in an HTTP request without any sanitisation, thus making it possible to load code that was not intended to run on the server. In addition, the fact that output of the module is passed to server response directly may cause information leakage. For example it is possible to read package.json file or any other json file.

Steps To Reproduce

Install domokeeper and run it

npm i domokeeper 
node node_modules/domokeeper/bin.js

Navigating to http://localhost:43569/plugins/.%2Fpackage.json in the browser - the content of package.json file is printed.