Miggo Logo

CVE-2014-9682: dns-sync command injection vulnerability

10

CVSS Score

Basic Information

EPSS Score
0.76451%
Published
10/24/2017
Updated
9/5/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:C/I:C/A:C
Package NameEcosystemVulnerable VersionsFirst Patched Version
dns-syncnpm< 0.1.10.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the resolve() function in lib/dns-sync.js where user-controlled hostname input was directly interpolated into a shell command string (via util.format) without validation. The pre-patch code lacked hostname sanitization, enabling attackers to inject commands through shell metacharacters. The commit d9abaae specifically adds hostname validation to this function to mitigate the injection, and the CVE description explicitly mentions the resolve API as the attack vector. The shell.exec call with unsanitized input creates the command injection vulnerability through command string construction.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *ns-syn* mo*ul* ***or* *.*.* *or no**.js *llows *ont*xt-**p*n**nt *tt**k*rs to *x**ut* *r*itr*ry *omm*n*s vi* s**ll m*t****r**t*rs in t** *irst *r*um*nt to t** r*solv* *PI *un*tion.

Reasoning

T** vuln*r**ility st*ms *rom t** `r*solv*()` *un*tion in `li*/*ns-syn*.js` w**r* us*r-*ontroll** *ostn*m* input w*s *ir**tly int*rpol*t** into * s**ll *omm*n* strin* (vi* `util.*orm*t`) wit*out v*li**tion. T** pr*-p*t** *o** l**k** *ostn*m* s*nitiz*t