org.webjars.npm:launch-editor 2.2.1

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:launch-editor package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M External Control of File Name or Path org.webjars.npm:launch-editor is a launch editor from node.js Affected versions of this package are vulnerable to External Control of File Name or Path in the handling of UNC paths on Windows systems. An attacker can obtain NTLMv2 password hashes by tricking a user into accessing a malicious SMB server through a specially crafted UNC path. Note: This is only exploitable if the system is running Windows, NTLM authentication is enabled, the user accesses a malicious website that interacts with a middleware using the affected package, the server with the middleware is running, and the attacker knows the URL for that server and middleware. How to fix External Control of File Name or Path? A fix was pushed into the `master` branch but not yet published.	[0,)
H Arbitrary Command Injection org.webjars.npm:launch-editor is a launch editor from node.js Affected versions of this package are vulnerable to Arbitrary Command Injection due to improper sanitization of the `file` argument on Windows systems. An attacker can execute arbitrary commands by supplying a specially crafted filename as the `file` argument. Note: This is only exploitable if the package is running on Windows, the attacker can control the `file` argument, and can place a file with a malicious filename. How to fix Arbitrary Command Injection? A fix was pushed into the `master` branch but not yet published.	[0,)

Vulnerability

Vulnerable Version

External Control of File Name or Path

org.webjars.npm:launch-editor is a launch editor from node.js

Affected versions of this package are vulnerable to External Control of File Name or Path in the handling of UNC paths on Windows systems. An attacker can obtain NTLMv2 password hashes by tricking a user into accessing a malicious SMB server through a specially crafted UNC path.

Note:

This is only exploitable if the system is running Windows, NTLM authentication is enabled, the user accesses a malicious website that interacts with a middleware using the affected package, the server with the middleware is running, and the attacker knows the URL for that server and middleware.

How to fix External Control of File Name or Path?

A fix was pushed into the master branch but not yet published.

[0,)

Arbitrary Command Injection

org.webjars.npm:launch-editor is a launch editor from node.js

Affected versions of this package are vulnerable to Arbitrary Command Injection due to improper sanitization of the file argument on Windows systems. An attacker can execute arbitrary commands by supplying a specially crafted filename as the file argument.

Note:

This is only exploitable if the package is running on Windows, the attacker can control the file argument, and can place a file with a malicious filename.

How to fix Arbitrary Command Injection?

A fix was pushed into the master branch but not yet published.

[0,)

org.webjars.npm:launch-editor@2.2.1

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically