CVE-2021-46704: OS Command Injection in GenieACS
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99528%
CWE
Published
3/7/2022
Updated
2/3/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
genieacs | npm | < 1.2.8 | 1.2.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- The commit adds validation to lib/ping.ts's ping function, confirming it was the injection point.
- The vulnerability description explicitly mentions both lib/ui/api.ts and lib/ping.ts as vulnerable components.
- The CWE-78 mapping indicates direct OS command injection, which occurs when building the ping command string.
- The 'unauthorized' aspect in the description points to missing auth checks in the API layer (lib/ui/api.ts).
- Pre-patch code shows host input was only processed with replace() calls, insufficient for security validation.