CVE-2022-21191
Command Injection vulnerability in global-modules-path (npm)
What is CVE-2022-21191 About?
This vulnerability is a Command Injection flaw in the `global-modules-path` npm package, specifically in its `getPath` function, prior to version 3.0.0. Due to a lack of input sanitization, an attacker can inject arbitrary shell commands. This is a critical vulnerability that can lead to remote code execution. Exploitation is straightforward if an attacker can control the input to `getPath`.
Affected Software
Technical Details
The global-modules-path package, in versions before 3.0.0, is vulnerable to Command Injection within its getPath function. The vulnerability arises because the input provided to getPath is not properly sanitized or escaped before being used in a system command execution context (e.g., by invoking a shell command). An attacker can embed malicious shell commands within the input string. When getPath processes this input, the embedded commands are executed with the privileges of the process running the Node.js application, allowing the attacker to execute arbitrary code on the host system. This essentially allows for complete system compromise.
What is the Impact of CVE-2022-21191?
Successful exploitation may allow attackers to execute arbitrary commands on the host system, leading to full system compromise, data exfiltration, or further network penetration.
What is the Exploitability of CVE-2022-21191?
Exploitation involves providing a specially crafted input string containing shell commands to the getPath function of the global-modules-path package. This is a low complexity attack if the attacker can control the input to this function. No authentication is typically required if the vulnerable function is exposed via an unauthenticated API endpoint. Privilege requirements are low on the attacker's side, but the impact will inherit the privileges of the running Node.js process. This is a remote access vulnerability if the input is processed via a web application. Special conditions include the application using the global-modules-path package to process untrusted user input without sanitization. Risk factors increasing exploitation likelihood include applications that expose input fields directly linked to this function or other system command execution functions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-21191?
About the Fix from Resolved Security
Available Upgrade Options
- global-modules-path
- <3.0.0 → Upgrade to 3.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-vvj3-85vf-fgmw
- https://github.com/rosen-vladimirov/global-modules-path/commit/edbdaff077ea0cf295b1469923c06bbccad3c180
- https://github.com/rosen-vladimirov/global-modules-path/releases/tag/v3.0.0
- https://security.snyk.io/vuln/SNYK-JS-GLOBALMODULESPATH-3167973
- https://github.com/rosen-vladimirov/global-modules-path
- https://github.com/lorenzomigliorero/npm-node-utils/blob/b55dd81c597db657c9751332bb2242403fd3e26b/index.js%23L186
- https://github.com/rosen-vladimirov/global-modules-path/commit/edbdaff077ea0cf295b1469923c06bbccad3c180
- https://security.snyk.io/vuln/SNYK-JS-GLOBALMODULESPATH-3167973
- https://nvd.nist.gov/vuln/detail/CVE-2022-21191
- https://github.com/rosen-vladimirov/global-modules-path/releases/tag/v3.0.0
What are Similar Vulnerabilities to CVE-2022-21191?
Similar Vulnerabilities: CVE-2023-38407 , CVE-2023-34080 , CVE-2023-26136 , CVE-2022-46175 , CVE-2022-38663
