CVE-2019-10789

CRITICAL

9.8

Description

All versions of curling.js are vulnerable to Command Injection via the run function. The command argument can be controlled by users without any sanitization.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published2/6/2020

Last Modified11/21/2024

Sourcenvd

Honeypot Sightings0

Affected Products

curling_project:curling

Weaknesses (CWE)

CWE-78

References

https://github.com/hgarcia/curling/blob/e861d625c074679a2931bcf4ce8da0afa8162c53/lib/curl-transport.js#L56(report@snyk.io)

https://snyk.io/vuln/SNYK-JS-CURLING-546484(report@snyk.io)

https://github.com/hgarcia/curling/blob/e861d625c074679a2931bcf4ce8da0afa8162c53/lib/curl-transport.js#L56(af854a3a-2127-422b-91ae-364da2661108)

https://snyk.io/vuln/SNYK-JS-CURLING-546484(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.