mirror of
https://github.com/0xMarcio/cve.git
synced 2026-05-08 22:35:37 +02:00
0xMarcio
863 B
863 B
CVE-2018-21268
Description
The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.
POC
Reference
- https://medium.com/@shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3
- https://snyk.io/vuln/npm:traceroute:20160311
Github
No PoCs found on GitHub currently.