Arbitrary Command Injection Affecting libnmap package, versions <0.4.16


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.28% (70th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Command Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-LIBNMAP-72551
  • published4 Nov 2018
  • disclosed14 Oct 2018
  • creditCristian-Alexandru Staicu

Introduced: 14 Oct 2018

CVE-2018-16461  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade libnmap to version 0.4.16 or higher.

Overview

libnmap is an API to access nmap from node.js.

Affected versions of this package are vulnerable to Arbitrary Command Injection. If the attacker is allowed to provide the "range" field for the network scan, they could inject arbitrary OS commands instead of a valid IP range.

CVSS Scores

version 3.1