Command Injection Affecting nemo-appium package, versions <0.0.9
Snyk CVSS
Attack Complexity
High
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.16% (53rd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-NEMOAPPIUM-3183747
- published 30 Jan 2023
- disclosed 27 Dec 2022
- credit JHU System Security Lab
Introduced: 27 Dec 2022
CVE-2022-21129 Open this link in a new tabHow to fix?
Upgrade nemo-appium
to version 0.0.9 or higher.
Overview
Affected versions of this package are vulnerable to Command Injection due to improper input sanitization in the 'module.exports.setup' function.
Note: In order to exploit this vulnerability appium-running
0.1.3 has to be installed as one of nemo-appium
dependencies.
PoC
const na = require('nemo-appium');
na.setup('touch EXPLOITED',{},function(){});