1211786 – (CVE-2023-26129) VUL-0: CVE-2023-26129: bwm-ng: Command Injection

Bug 1211786 (CVE-2023-26129) - VUL-0: CVE-2023-26129: bwm-ng: Command Injection

Summary: VUL-0: CVE-2023-26129: bwm-ng: Command Injection

Status:	RESOLVED INVALID

Alias:	CVE-2023-26129

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Other (show other bugs)
Version:	Leap 15.4
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-05-29 06:21 UTC by Gianluca Gabrielli
Modified:	2024-03-20 08:31 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2023-05-29 06:21:03 UTC

### Overview

Affected versions of this package are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file.

### Note

To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment. This typically requires some level of access to the system or application hosting the Node.js environment.

### PoC

var check = require('bwm-ng').check; function bwmCb(interface, downSpeed, upSpeed) { } check(bwmCb, ["enp3s0", "lo",";touch EXPLOITED;"]);

Comment 1 Michael Vetter 2024-03-12 15:37:30 UTC

CVE-2023-26129 is about nodejs thingy, see: https://github.com/advisories/GHSA-8vw3-vxmj-h43w

network:utilities/bwm-ng is a bandwidth monitor different sharing the same name.

Bug is invalid.