|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-26129: bwm-ng: Command Injection | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Distribution | Reporter: | Gianluca Gabrielli <gianluca.gabrielli> |
| Component: | Other | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED INVALID | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | mvetter, security-team |
| Version: | Leap 15.4 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
CVE-2023-26129 is about nodejs thingy, see: https://github.com/advisories/GHSA-8vw3-vxmj-h43w network:utilities/bwm-ng is a bandwidth monitor different sharing the same name. Bug is invalid. |
### Overview Affected versions of this package are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file. ### Note To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment. This typically requires some level of access to the system or application hosting the Node.js environment. ### PoC var check = require('bwm-ng').check; function bwmCb(interface, downSpeed, upSpeed) { } check(bwmCb, ["enp3s0", "lo",";touch EXPLOITED;"]);