Arbitrary Command Injection

Affecting libnmap package, versions <0.4.16

Overview

libnmap is an API to access nmap from node.js.

Affected versions of this package are vulnerable to Arbitrary Command Injection. If the attacker is allowed to provide the "range" field for the network scan, they could inject arbitrary OS commands instead of a valid IP range.

Remediation

Upgrade libnmap to version 0.4.16 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

6.8
medium severity
  • Attack Vector
    Adjacent
  • Attack Complexity
    Low
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Credit
Cristian-Alexandru Staicu
CVE
CVE-2018-16461
CWE
CWE-94
Snyk ID
SNYK-JS-LIBNMAP-72551
Disclosed
14 Oct, 2018
Published
04 Nov, 2018