CVE-2017-16042
arbitrary command execution vulnerability in growl (npm)
What is CVE-2017-16042 About?
This is an arbitrary command execution vulnerability in affected versions of `growl`. The module fails to properly sanitize input before passing it to a shell command, allowing attackers to execute arbitrary operating system commands. This flaw is easy to exploit and can lead to full system compromise.
Affected Software
Technical Details
The growl module, in versions prior to 1.10.0, is vulnerable to arbitrary command execution due to insufficient input sanitization. Specifically, the module constructs shell commands using user-supplied input without properly escaping or validating special characters. An attacker can inject malicious shell metacharacters (e.g., backticks `` or semicolons ;) into parameters that are intended to be displayed as growl notifications. When growl attempts to execute the constructed command via a shell, these injected characters are interpreted by the operating system's shell, leading to the execution of arbitrary commands provided by the attacker. This effectively allows an attacker to break out of the intended growl command and run any command on the underlying system with the privileges of the growl process.
What is the Impact of CVE-2017-16042?
Successful exploitation may allow attackers to execute arbitrary commands on the host operating system with the privileges of the affected application, leading to full system compromise, data theft, or further network penetration.
What is the Exploitability of CVE-2017-16042?
Exploitation of this vulnerability is of low complexity and can often be achieved remotely, depending on how the growl input is exposed. It requires the ability to provide unsanitized input to the growl module, which is then passed to a shell command. No specific authentication or privilege beyond the ability to trigger a growl notification with attacker-controlled data is needed. The attack vector is typically through an application that uses growl to display notifications based on user input (e.g., chat messages, system alerts). The ease of injecting shell metacharacters and the direct impact of command execution make this a high-risk vulnerability. Remote versus local access depends on whether the application processing user input to growl is network-accessible.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-16042?
About the Fix from Resolved Security
Available Upgrade Options
- growl
- <1.10.0 → Upgrade to 1.10.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/tj/node-growl/issues/60
- https://github.com/tj/node-growl/pull/62
- https://github.com/tj/node-growl/pull/61
- https://nvd.nist.gov/vuln/detail/CVE-2017-16042
- https://github.com/tj/node-growl/issues/60
- https://github.com/tj/node-growl/commit/d71177d5331c9de4658aca62e0ac921f178b0669
- https://osv.dev/vulnerability/GHSA-qh2h-chj9-jffq
- https://www.npmjs.com/advisories/146
- https://github.com/tj/node-growl/pull/61
- https://github.com/tj/node-growl
What are Similar Vulnerabilities to CVE-2017-16042?
Similar Vulnerabilities: CVE-2014-7205 , CVE-2017-1000117 , CVE-2018-0115 , CVE-2018-1000136 , CVE-2018-1000137
