@azure/ms-rest-nodeauth/.../ms-rest-nodeauth@2.0.0 vulnerabilities

Azure Authentication library in node.js with type definitions.

  • latest version

    3.1.1

  • latest non vulnerable version

  • first published

    6 years ago

  • latest version published

    3 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the @azure/ms-rest-nodeauth package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Command Injection

    @azure/ms-rest-nodeauth is an Azure Authentication library in node.js with type definitions.

    Affected versions of this package are vulnerable to Command Injection via the child_process function execAz(). This function can be injected with arbitrary OS commands. Attackers can exploit this vulnerability by calling AzureCliCredentials.setDefaultSubscription (OS command) from the Azure CLI.

    PoC

    auth = require('@azure/ms-rest-nodeauth');
    auth.AzureCliCredentials.setDefaultSubscription('$(touch pzhou@shu)');
    

    How to fix Command Injection?

    Upgrade @azure/ms-rest-nodeauth to version 3.0.8 or higher.

    <3.0.8