OS Command Injection Affecting github.com/projectdiscovery/nuclei/v3/pkg/templates package, versions >=3.0.0 <3.2.0
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMPROJECTDISCOVERYNUCLEIV3PKGTEMPLATES-6454369
- published 17 Mar 2024
- disclosed 15 Mar 2024
- credit @gpc1996
Introduced: 15 Mar 2024
CVE-2024-27920 Open this link in a new tabHow to fix?
Upgrade github.com/projectdiscovery/nuclei/v3/pkg/templates to version 3.2.0 or higher.
Overview
Affected versions of this package are vulnerable to OS Command Injection due to improper validation of code templates in workflows, which allows for the execution of unsigned code templates. This issue specifically impacts users who utilize custom workflows, potentially enabling the execution of malicious code on the user's system.
Note
Affected users are:
CLI Users: Those executing custom workflows from untrusted sources. This includes workflows authored by third parties or obtained from unverified repositories.
SDK Users: Developers integrating Nuclei into their platforms, particularly if they permit the execution of custom workflows by end-users.
Workaround
Avoid Untrusted Workflows: As an interim measure, users should refrain from using custom workflows if unable to upgrade immediately. Only trusted, verified workflows should be executed.