CVE-2022-0841 - Vulnerability Details - OpenCVE

OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Npm-lockfile Project	Npm-lockfile

Configuration 1 [-]

OR	cpe:2.3:a:npm-lockfile_project:npm-lockfile:2.0.3:::::node.js::
	cpe:2.3:a:npm-lockfile_project:npm-lockfile:2.0.4:::::node.js::

No data.

References

Link	Providers
https://github.com/ljharb/npm-lockfile/commit/bfdb84813260f0edbf759f2fde1e8c816c1478b8
https://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1
https://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1/
https://nvd.nist.gov/vuln/detail/CVE-2022-0841
https://www.cve.org/CVERecord?id=CVE-2022-0841

History

No history.

MITRE

Status: PUBLISHED

Assigner: @huntrdev

Published: 2022-03-03T15:50:10

Updated: 2024-08-02T23:40:04.446Z

Reserved: 2022-03-03T00:00:00

Link: CVE-2022-0841

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-03-03T16:15:07.863

Modified: 2024-11-21T06:39:30.380

Link: CVE-2022-0841

Redhat

Severity : Low

Publid Date: 2022-03-03T00:00:00Z

Links: CVE-2022-0841 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "ljharb/npm-lockfile", "vendor": "ljharb", "versions": [{"status": "affected", "version": "2.0.3"}, {"status": "affected", "version": "2.0.4"}]}], "descriptions": [{"lang": "en", "value": "OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-04T08:15:13", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ljharb/npm-lockfile/commit/bfdb84813260f0edbf759f2fde1e8c816c1478b8"}], "source": {"advisory": "4f806dc9-2ecd-4e79-997e-5292f1bea9f1", "discovery": "EXTERNAL"}, "title": "OS Command Injection in ljharb/npm-lockfile", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2022-0841", "STATE": "PUBLIC", "TITLE": "OS Command Injection in ljharb/npm-lockfile"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ljharb/npm-lockfile", "version": {"version_data": [{"version_affected": "=", "version_value": "2.0.3"}, {"version_affected": "=", "version_value": "2.0.4"}]}}]}, "vendor_name": "ljharb"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command"}]}]}, "references": {"reference_data": [{"name": "https://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1", "refsource": "CONFIRM", "url": "https://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1"}, {"name": "https://github.com/ljharb/npm-lockfile/commit/bfdb84813260f0edbf759f2fde1e8c816c1478b8", "refsource": "MISC", "url": "https://github.com/ljharb/npm-lockfile/commit/bfdb84813260f0edbf759f2fde1e8c816c1478b8"}]}, "source": {"advisory": "4f806dc9-2ecd-4e79-997e-5292f1bea9f1", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:40:04.446Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ljharb/npm-lockfile/commit/bfdb84813260f0edbf759f2fde1e8c816c1478b8"}]}]}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2022-0841", "datePublished": "2022-03-03T15:50:10", "dateReserved": "2022-03-03T00:00:00", "dateUpdated": "2024-08-02T23:40:04.446Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:npm-lockfile_project:npm-lockfile:2.0.3:*:*:*:*:node.js:*:*", "matchCriteriaId": "F81C86AD-D217-4007-BE77-43366826ACBD", "vulnerable": true}, {"criteria": "cpe:2.3:a:npm-lockfile_project:npm-lockfile:2.0.4:*:*:*:*:node.js:*:*", "matchCriteriaId": "9DAF0424-6A7C-4853-B316-0BF3CFE247F2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4."}, {"lang": "es", "value": "Inyecci\u00f3n de comandos del sistema operativo en el repositorio de GitHub ljharb/npm-lockfile en las versiones v2.0.3 y v2.0.4."}], "id": "CVE-2022-0841", "lastModified": "2024-11-21T06:39:30.380", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-03T16:15:07.863", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ljharb/npm-lockfile/commit/bfdb84813260f0edbf759f2fde1e8c816c1478b8"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ljharb/npm-lockfile/commit/bfdb84813260f0edbf759f2fde1e8c816c1478b8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@huntr.dev", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "npm-lockfile: os command injection", "id": "2060615", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060615"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-78", "details": ["OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4.", "A flaw was found in npm-lockfile, where npm-lockfile v2 did not sanitize the `only` parameter before invoking sensitive command execution API with the input. This issue leads to a command injection vulnerability."], "name": "CVE-2022-0841", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "389-ds:1.4/389-ds-base", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "cockpit", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "cockpit-appstream", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:2.0/cockpit-podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:rhel8/cockpit-podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:12/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:14/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nodejs12-nodejs", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nodejs14-nodejs", "product_name": "Red Hat Software Collections"}], "public_date": "2022-03-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-0841\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-0841\nhttps://huntr.dev/bounties/4f806dc9-2ecd-4e79-997e-5292f1bea9f1/"], "statement": "This flaw only affects npm-lockfile v2. Red Hat Enterprise Linux is not affected by this issue as it ships npm-lockfile v1. Note that the impact is Low as there is no way for external attackers to provide unsafe input and exploit the issue. See huntr vulnerability report (External References) for more information in this regard.", "threat_severity": "Low"}