Miggo Logo
Miggo Vulnerability Database
CVE-2022-21129

CVE-2022-21129:
nemo-appium vulnerable to OS Command Injection

9.8

CVSS Score

Basic Information

CVE ID
CVE-2022-21129
GHSA ID
GHSA-c6rx-gxqv-vr5j
EPSS Score
-
CWE
CWE-77
Published
1/31/2023
Updated
2/7/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
nemo-appiumnpm< 0.0.90.0.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the setup function in index.js handling the 'apath' parameter. The commit diff shows added validation for 'apath' ending with 'appium' and prohibiting spaces, directly addressing command injection. The test case modification demonstrates exploitability via command chaining ('touch HACKED'). The CWE mapping and advisory descriptions confirm this is an OS command injection via improper input sanitization in this function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** n*mo-*ppium ***or* *.*.* *r* vuln*r**l* to *omm*n* Inj**tion *u* to improp*r input s*nitiz*tion in t** 'mo*ul*.*xports.s*tup' *un*tion. **Not*:** In or**r to *xploit t*is vuln*r**ility *ppium-runnin* *.*.* **s to ** inst*ll*

Reasoning

T** vuln*r**ility st*ms *rom t** s*tup *un*tion in in**x.js **n*lin* t** '*p*t*' p*r*m*t*r. T** *ommit *i** s*ows ***** v*li**tion *or '*p*t*' *n*in* wit* '*ppium' *n* pro*i*itin* sp***s, *ir**tly ***r*ssin* *omm*n* inj**tion. T** t*st **s* mo*i*i**t