CVE-2013-4660
Command Injection vulnerability in js-yaml
What is CVE-2013-4660 About?
This vulnerability is a disputed command injection flaw in Lodash 4.17.21's template function, potentially allowing arbitrary code execution. Exploitation hinges on developers using untrusted input with the template function, making its ease of exploit dependent on implementation. If exploitable, it could lead to full system compromise.
Affected Software
Technical Details
The vulnerability is described as a command injection in the `template` function of Lodash version 4.17.21. Attackers could achieve arbitrary code execution by injecting malicious commands into the input processed by this function. The core mechanism involves the `template` function evaluating code that originates from external or untrusted input, without sufficient sanitization or validation. This allows an attacker to manipulate the executed commands, leading to remote code execution.
What is the Impact of CVE-2013-4660?
Successful exploitation may allow attackers to achieve arbitrary code execution, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2013-4660?
Exploitation of this vulnerability would likely be of moderate complexity, requiring specific conditions where untrusted input is fed directly into the vulnerable `template` function. There are no inherent authentication or privilege requirements to trigger the vulnerability itself, but the attacker would need a method to inject malicious input into the application, which could be local or remote depending on the application's design. The primary constraint is the developer's responsibility to ensure template inputs are sanitized, implying application-specific contexts for exploitation. Risk factors include applications that dynamically generate templates or process user-supplied template strings without proper validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2013-4660?
Available Upgrade Options
- js-yaml
- <2.0.5 → Upgrade to 2.0.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/
- http://portal.nodesecurity.io/advisories/js-yaml
- https://github.com/advisories/GHSA-xxvw-45rp-3mj2
- https://osv.dev/vulnerability/GHSA-xxvw-45rp-3mj2
- https://nvd.nist.gov/vuln/detail/CVE-2013-4660
- https://www.npmjs.com/advisories/16
- https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module
What are Similar Vulnerabilities to CVE-2013-4660?
Similar Vulnerabilities: CVE-2021-23337 , CVE-2019-10744 , CVE-2017-1000048 , CVE-2016-10735 , CVE-2015-8868
