Re: CVE Request - dns-sync node module

[cve-assign () mitre org]

>  This never did receive an allocation, did it?
>
> On Tue Nov 11, 2014 at 20:02:40 +0000, Steve Kemp wrote:
> >   The dns-sync library for node.js allows resolving hostnames in
> >  a synchronous fashion
> >
> >   All versions of dns-sync prior to the release 0.1.1 were
> >  vulnerable to arbitrary command execution via maliciously
> >  formed hostnames.  For example:
> >
> >     var dnsSync = require('dns-sync');
> >     console.log(dnsSync.resolve('$(id > /tmp/foo)'));
> >
> >   This is caused by the hostname being passed through a shell
> >  as part of a command execution.
> >
> >   I disclosed/reported this here:
> >
> >         https://github.com/skoranga/node-dns-sync/issues/1
> >
> >   The following commit resolves the bug:
> >
> >         https://github.com/skoranga/node-dns-sync/commit/d9abaae384b198db1095735ad9c1c73d7b890a0d
>
>
> Steve
> --
> Git-based DNS hosting
> https://dns-api.com/

Use CVE-2014-9682.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]