CVE-2024-21488
Arbitrary Command Injection vulnerability in network
What is CVE-2024-21488 About?
This vulnerability is an Arbitrary Command Injection flaw in the 'network' package versions before 0.7.0, stemming from improper input sanitization with the `child_process.exec` function. It allows attackers to execute arbitrary commands on the operating system by providing malicious input to the `mac_address_for` function. The exploitability is considered easy given the direct execution of unsanitized user input.
Affected Software
Technical Details
The vulnerability arises from the 'network' package utilizing the `child_process.exec` function without adequately sanitizing user-controlled input. Specifically, if attacker-controlled data is passed to the `mac_address_for` function, it is directly incorporated into a command that is then executed by the operating system. This lack of sanitization allows an attacker to inject arbitrary shell commands, which will be executed with the privileges of the affected application, leading to arbitrary command execution.
What is the Impact of CVE-2024-21488?
Successful exploitation may allow attackers to execute arbitrary operating system commands, compromise the integrity, confidentiality, and availability of the affected system, and potentially gain full control of the host.
What is the Exploitability of CVE-2024-21488?
Exploitation of this vulnerability is straightforward, primarily requiring the ability to supply malicious input to the `mac_address_for` function. There are no complex prerequisites beyond this, and no specific authentication or elevated privileges are required if the vulnerable function processes unauthenticated input. It typically involves remote access if the vulnerable application is internet-facing, or local access if the input point is via a local interface or file modified by an attacker. The primary risk factor increasing exploitation likelihood is direct exposure of the `mac_address_for` function to unsanitized external user input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21488?
Available Upgrade Options
- network
- <0.7.0 → Upgrade to 0.7.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2024-21488
- https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7
- https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c
- https://security.snyk.io/vuln/SNYK-JS-NETWORK-6184371
- https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5
- https://github.com/tomas/network/commit/6ec8713580938ab4666df2f2d0f3399891ed2ad7
- https://github.com/tomas/network/commit/5599ed6d6ff1571a5ccadea775430c131f381de7
- https://github.com/tomas/network/commit/72c523265940fe279eb0050d441522628f8988e5
- https://gist.github.com/icemonster/282ab98fb68fc22aac7c576538f6369c
- https://github.com/tomas/network
What are Similar Vulnerabilities to CVE-2024-21488?
Similar Vulnerabilities: CVE-2021-38557 , CVE-2020-15228 , CVE-2023-28155 , CVE-2022-21703 , CVE-2022-25911
