Command Injection Affecting connection-tester package, versions <0.2.1
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.61% (79th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-CONNECTIONTESTER-1048337
- published 16 Dec 2020
- disclosed 4 Dec 2020
- credit JHU System Security Lab
Introduced: 4 Dec 2020
CVE-2020-7781 Open this link in a new tabHow to fix?
Upgrade connection-tester
to version 0.2.1 or higher.
Overview
connection-tester is a module that tests to check if the connection can be established or host/port reachable for a given host and port. Useful for testing all the connection in your node application at server startup.
Affected versions of this package are vulnerable to Command Injection. The injection point is located in line 15 in index.js
.
The following PoC demonstrates the vulnerability:
PoC
var a = require("connection-tester");
a.test("& touch 111","& touch 222",123)