| Title | @thi.ng/egf における OS コマンドインジェクションの脆弱性 |
|---|---|
| Summary | @thi.ng/egf には、OS コマンドインジェクションの脆弱性が存在します。 |
| Possible impacts | 情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。 |
| Solution | ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date | March 27, 2021, midnight |
| Registration Date | Dec. 3, 2021, 5:49 p.m. |
| Last Update | Dec. 3, 2021, 5:49 p.m. |
| CVSS3.0 : 重要 | |
| Score | 8.8 |
|---|---|
| Vector | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVSS2.0 : 警告 | |
| Score | 6.5 |
|---|---|
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
| thi.ng |
| @thi.ng/egf 0.4.0 未満 |
| No | Changed Details | Date of change |
|---|---|---|
| 1 | [2021年12月03日] 掲載 |
Dec. 3, 2021, 5:49 p.m. |
| Summary | Potential for arbitrary code execution in npm package @thi.ng/egf `#gpg`-tagged property values (only if `decrypt: true` option is enabled). PR with patch has been submitted and will has been released as of v0.4.0 By default the EGF parse functions do NOT attempt to decrypt values (since GPG only available in non-browser env). However, if GPG encrypted values are used/required: 1. Perform a regex search for `#gpg`-tagged values in the EGF source file/string and check for backtick (\`) chars in the encrypted value string 2. Replace/remove them or skip parsing if present. |
|---|---|
| Publication Date | March 31, 2021, 3:15 a.m. |
| Registration Date | March 31, 2021, 10:02 a.m. |
| Last Update | Nov. 21, 2024, 2:48 p.m. |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:\@thi.ng\/egf_project:\@thi.ng\/egf:*:*:*:*:*:node.js:*:* | 0.4.0 | ||||