Miggo Logo
Miggo Vulnerability Database
CVE-2021-33360

CVE-2021-33360: stoqey/gnuplot is vulnerable to command injection

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-33360
GHSA ID
GHSA-795w-7426-m94j
EPSS Score
0.29571%
CWE
CWE-77
Published
3/10/2023
Updated
3/15/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
@stoqey/gnuplotnpm<= 0.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in how user-controlled 'filePath' is directly interpolated into shell commands via child_process.exec. The plotCallack function contains two critical insecure patterns: 1) 'exec(touch ${filePath})' and 2) 'exec(gnuplot > ${filePath})' (or similar PDF variant). These implementations allow attackers to inject arbitrary commands through shell metacharacters in the filename parameter. The lack of input validation/sanitization and unsafe command construction directly maps to CWE-77 command injection. The GitHub advisory specifically calls out plotCallack and filePath as vulnerable components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* *oun* in Stoq*y *nuplot v.*.*.* *n* **rli*r *llows *tt**k*rs to *x**ut* *r*itr*ry *o** vi* t** sr*/in**x.ts, plot**ll**k, **il*_pro**ss, *n*/or *il*P*t* p*r*m*t*r(s).

Reasoning

T** vuln*r**ility *xists in *ow us*r-*ontroll** '*il*P*t*' is *ir**tly int*rpol*t** into s**ll *omm*n*s vi* **il*_pro**ss.*x**. T** plot**ll**k *un*tion *ont*ins two *riti**l ins**ur* p*tt*rns: *) '*x**(`tou** ${*il*P*t*}`)' *n* *) '*x**(`*nuplot > $
CVE-2021-33360: Stoqey Gnuplot Cmd Injection | Miggo