← Voltar para CVEs
CVE-2021-32830
LOW3.9
Descricao
The @diez/generation npm package is a client for Diez. The locateFont method of @diez/generation has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. All versions of this package are vulnerable as of the writing of this CVE.
Detalhes CVE
Pontuacao CVSS v3.13.9
SeveridadeLOW
Vetor CVSSCVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Vetor de ataqueLOCAL
ComplexidadeHIGH
Privilegios necessariosLOW
Interacao do usuarioREQUIRED
Publicado8/17/2021
Ultima modificacao11/21/2024
Fontenvd
Avistamentos honeypot0
Produtos afetados
haikuforteams:diez
Fraquezas (CWE)
CWE-78CWE-77
Referencias
https://github.com/diez/diez(security-advisories@github.com)
https://securitylab.github.com/advisories/GHSL-2021-061-diez-generation-cmd-injection/(security-advisories@github.com)
https://www.npmjs.com/package/%40diez/generation(security-advisories@github.com)
https://github.com/diez/diez(af854a3a-2127-422b-91ae-364da2661108)
https://securitylab.github.com/advisories/GHSL-2021-061-diez-generation-cmd-injection/(af854a3a-2127-422b-91ae-364da2661108)
https://www.npmjs.com/package/%40diez/generation(af854a3a-2127-422b-91ae-364da2661108)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.