oss-sec mailing list archives
Re: CVE Request - dns-sync node module
From: cve-assign () mitre org
Date: Fri, 13 Feb 2015 09:28:44 -0500 (EST)
This never did receive an allocation, did it? On Tue Nov 11, 2014 at 20:02:40 +0000, Steve Kemp wrote:The dns-sync library for node.js allows resolving hostnames in a synchronous fashion All versions of dns-sync prior to the release 0.1.1 were vulnerable to arbitrary command execution via maliciously formed hostnames. For example: var dnsSync = require('dns-sync'); console.log(dnsSync.resolve('$(id > /tmp/foo)')); This is caused by the hostname being passed through a shell as part of a command execution. I disclosed/reported this here: https://github.com/skoranga/node-dns-sync/issues/1 The following commit resolves the bug: https://github.com/skoranga/node-dns-sync/commit/d9abaae384b198db1095735ad9c1c73d7b890a0dSteve -- Git-based DNS hosting https://dns-api.com/
Use CVE-2014-9682. --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Current thread:
- Re: CVE Request - dns-sync node module cve-assign (Feb 13)