Miggo Logo
Miggo Vulnerability Database
CVE-2018-3786

CVE-2018-3786: Command Injection in egg-scripts

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2018-3786
GHSA ID
GHSA-c9j3-wqph-5xx9
EPSS Score
0.92867%
CWE
CWE-77
Published
9/17/2018
Updated
9/18/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
egg-scriptsnpm< 2.8.12.8.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability was patched by replacing exec() with execFile() in PR #26. The original code used exec('tail -n 100 ' + stderr) where stderr came from user-controlled --stderr parameter. exec() spawns a shell and interprets special characters, while execFile() avoids shell interpretation. The vulnerable pattern matches CWE-78 (OS Command Injection) as untrusted data flows directly into a shell command.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `***-s*ripts` ***or* *.*.* *r* vuln*r**l* to *omm*n* inj**tion. T*is is only *xploit**l* i* * m*li*ious *r*um*nt is provi*** on t** *omm*n* lin*. *x*mpl*: `****tl st*rt --***mon --st**rr='/tmp/****tl_st**rr.lo*; tou** /tmp/m*li*ious'`

Reasoning

T** vuln*r**ility w*s p*t**** *y r*pl**in* `*x**()` wit* `*x***il*()` in PR #**. T** ori*in*l *o** us** `*x**('t*il -n *** ' + st**rr)` w**r* st**rr **m* *rom us*r-*ontroll** --st**rr p*r*m*t*r. `*x**()` sp*wns * s**ll *n* int*rpr*ts sp**i*l ***r**t*