Miggo Logo
Miggo Vulnerability Database
CVE-2021-34080

CVE-2021-34080: OS Command injection in ssl-utils

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-34080
GHSA ID
GHSA-552j-pv39-f3jf
EPSS Score
0.94262%
CWE
CWE-78
Published
6/3/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ssl-utilsnpm<= 1.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The CVE description, GHSA advisory, and Checkmarx advisory all explicitly name createCertRequest() and createCert() as the vulnerable functions. These functions are specifically called out as accepting unsanitized shell metacharacters that get passed to OS commands, which is the classic pattern for CWE-78 vulnerabilities. Multiple authoritative sources (NVD, GitHub Advisory Database, and Checkmarx) corroborate this assessment, though exact file paths are unavailable in the provided data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

OS *omm*n* Inj**tion vuln*r**ility in *s*** ssl-utils *.*.* *or No**.js *llows *tt**k*rs to *x**ut* *r*itr*ry *omm*n*s vi* uns*nitiz** s**ll m*t****r**t*rs provi*** to t** *r**t***rtR*qu*st() *n* t** *r**t***rt() *un*tions.

Reasoning

T** *V* **s*ription, **S* **visory, *n* ****km*rx **visory *ll *xpli*itly n*m* `*r**t***rtR*qu*st()` *n* `*r**t***rt()` *s t** vuln*r**l* *un*tions. T**s* *un*tions *r* sp**i*i**lly **ll** out *s ****ptin* uns*nitiz** s**ll m*t****r**t*rs t**t **t p*