Miggo Logo

CVE-2021-46704: OS Command Injection in GenieACS

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.99528%
Published
3/7/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
genieacsnpm< 1.2.81.2.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The commit adds validation to lib/ping.ts's ping function, confirming it was the injection point.
  2. The vulnerability description explicitly mentions both lib/ui/api.ts and lib/ping.ts as vulnerable components.
  3. The CWE-78 mapping indicates direct OS command injection, which occurs when building the ping command string.
  4. The 'unauthorized' aspect in the description points to missing auth checks in the API layer (lib/ui/api.ts).
  5. Pre-patch code shows host input was only processed with replace() calls, insufficient for security validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In **ni***S *.*.x ***or* *.*.*, t** UI int*r**** *PI is vuln*r**l* to un*ut**nti**t** OS *omm*n* inj**tion vi* t** pin* *ost *r*um*nt (li*/ui/*pi.ts *n* li*/pin*.ts). T** vuln*r**ility *ris*s *rom insu**i*i*nt input v*li**tion *om*in** wit* * missin*

Reasoning

*. T** *ommit ***s v*li**tion to li*/pin*.ts's pin* *un*tion, *on*irmin* it w*s t** inj**tion point. *. T** vuln*r**ility **s*ription *xpli*itly m*ntions *ot* li*/ui/*pi.ts *n* li*/pin*.ts *s vuln*r**l* *ompon*nts. *. T** *W*-** m*ppin* in*i**t*s *