Miggo Logo

CVE-2022-21810: Command injection in smartctl

7.8

CVSS Score
3.1

Basic Information

EPSS Score
0.47745%
Published
1/26/2023
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
smartctlnpm<= 1.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in the info method which takes a devicePath parameter and passes it unsanitized to execSmart. The code shows direct concatenation of user input into a shell command ("smartctl -i " + devicePath) using exec(). This pattern is vulnerable to command injection as confirmed by: 1) The advisory explicitly naming the info method 2) The Snyk PoC demonstrating injection via this parameter 3) The visible lack of input sanitization or safe execution methods (like execFile with separated arguments) in the code. The execSmart function is a common helper that amplifies this vulnerability across multiple entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** sm*rt*tl *r* vuln*r**l* to *omm*n* Inj**tion vi* t** in*o m*t*o* *u* to improp*r input s*nitiz*tion.

Reasoning

T** vuln*r**ility m*ni**sts in t** `in*o` m*t*o* w*i** t*k*s * `**vi**P*t*` p*r*m*t*r *n* p*ss*s it uns*nitiz** to `*x**Sm*rt`. T** *o** s*ows *ir**t *on**t*n*tion o* us*r input into * s**ll *omm*n* ("sm*rt*tl -i " + `**vi**P*t*`) usin* `*x**()`. T*i