CVE-2023-26107

Published Mar 6, 2023

Last updated a year ago

Overview

Description: All versions of the package sketchsvg are vulnerable to Arbitrary Code Injection when invoking shell.exec without sanitization nor parametrization while concatenating the current directory as part of the command string.
Source: report@snyk.io
NVD status: Modified

Hype score: Not currently trending

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.8
Impact score: 5.9
Exploitability score: 1.8
Vector string: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

nvd@nist.gov: CWE-94
report@snyk.io: CWE-94

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:ebay:sketchsvg:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B4663EF2-C8FB-4D82-87E9-1C0BD0EF5C44"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References