CVEブラウザに戻る

CVE-2018-21268

CRITICAL

10.0

CVSS Severity Score

EPSS Score0.1640%

EPSS Percentile8.17th

Published2020年6月25日

Last Modified2024年11月21日

Vulnerability Description

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.

Affected Platforms (CPE)

📦

Traceroute Project

Traceroute

<= 1.0.0

References & Advisories

🔗 https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f

🔗 https://github.com/jaw187/node-traceroute/tags

🔗 https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3

🔗 https://snyk.io/vuln/npm:traceroute:20160311

🔗 https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy

🔗 https://www.npmjs.com/advisories/1465

🔗 https://www.npmjs.com/package/traceroute

🔗 https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/

関連する脆弱性情報

CVE-2009-402510.0

Argument injection vulnerability in the traceroute function in Traceroute.php in the Net_Traceroute package before 0.21.2 for PEAR...

CVE-2005-156010.0

The SSH module in Neteyes Nexusway allows remote attackers to execute arbitrary commands via shell metacharacters in arguments to ...

CVE-2003-045310.0

traceroute-nanog 6.1.1 allows local users to overwrite unauthorized memory and possibly execute arbitrary code via certain "nprobe...

CVE-2009-436810.0

Multiple unspecified vulnerabilities in Centreon before 2.1.4 have unknown impact and attack vectors in the (1) ping tool, (2) tra...