CVE-2018-21268

moderate-risk
Published 2020-06-25

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.

Do I need to act?

~
6.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: b99ee024a01a40d3d20a92ad3769cc78a3f6386f
10
CVSS 10.0/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Traceroute

Affected Vendors

Traceroute Project

References (16)

Patch https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc7...
Third Party Advisory https://github.com/jaw187/node-traceroute/tags
https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-...
Exploit https://snyk.io/vuln/npm:traceroute:20160311
Third Party Advisory https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-trace...
Third Party Advisory https://www.npmjs.com/advisories/1465
Product https://www.npmjs.com/package/traceroute
Exploit https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-p...
Patch https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc7...
Third Party Advisory https://github.com/jaw187/node-traceroute/tags
https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-...
Exploit https://snyk.io/vuln/npm:traceroute:20160311
Third Party Advisory https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-trace...
Third Party Advisory https://www.npmjs.com/advisories/1465
Product https://www.npmjs.com/package/traceroute
Exploit https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-p...
47
/ 100
moderate-risk
Severity 33/34 · Critical
Exploitability 9/34 · Low
Exposure 5/34 · Minimal