CVE-2023-26128

All versions of the package keep-module-latest are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the installModule function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment. This typically requires some level of access to the system or application hosting the Node.js environment.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/liujunyang/keep-module-latest/blob/master/index.js%23L50	Broken Link
https://security.snyk.io/vuln/SNYK-JS-KEEPMODULELATEST-3157165	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:keep-module-latest_project:keep-module-latest:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2023-05-27 05:15

Updated : 2023-11-07 04:09

NVD link : CVE-2023-26128

Mitre link : CVE-2023-26128

CVE.ORG link : CVE-2023-26128

JSON object : View

Products Affected

keep-module-latest_project

keep-module-latest

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2023-26128", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.5}]}, "published": "2023-05-27T05:15:09.860", "references": [{"url": "https://github.com/liujunyang/keep-module-latest/blob/master/index.js%23L50", "tags": ["Broken Link"], "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-KEEPMODULELATEST-3157165", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-77"}]}, {"type": "Secondary", "source": "report@snyk.io", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "All versions of the package keep-module-latest are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the installModule function.\r\r**Note:**\r\rTo execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment. This typically requires some level of access to the system or application hosting the Node.js environment."}], "lastModified": "2023-11-07T04:09:24.700", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:keep-module-latest_project:keep-module-latest:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3C88C3AE-1C60-4D8C-81A6-05A00191F199"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}