CVE-2022-21191

low-risk
Published 2023-01-13

Versions of the package global-modules-path before 3.0.0 are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the getPath function.

Do I need to act?

-
0.65% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.4/10 High
LOCAL / HIGH complexity

Affected Products (1)

Global-Modules-Path

Affected Vendors

Global-Modules-Path Project

References (8)

Broken Link https://github.com/lorenzomigliorero/npm-node-utils/blob/b55dd81c597db657c975133...
Patch https://github.com/rosen-vladimirov/global-modules-path/commit/edbdaff077ea0cf29...
Third Party Advisory https://github.com/rosen-vladimirov/global-modules-path/releases/tag/v3.0.0
Third Party Advisory https://security.snyk.io/vuln/SNYK-JS-GLOBALMODULESPATH-3167973
Broken Link https://github.com/lorenzomigliorero/npm-node-utils/blob/b55dd81c597db657c975133...
Patch https://github.com/rosen-vladimirov/global-modules-path/commit/edbdaff077ea0cf29...
Third Party Advisory https://github.com/rosen-vladimirov/global-modules-path/releases/tag/v3.0.0
Third Party Advisory https://security.snyk.io/vuln/SNYK-JS-GLOBALMODULESPATH-3167973
26
/ 100
low-risk
Severity 19/34 · Moderate
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal