Miggo Logo

CVE-2022-24377: cycle-import-check vulnerable to Command Injection

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.89145%
Published
12/14/2022
Updated
8/17/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
cycle-import-checknpm< 1.3.21.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is explicitly attributed to writeFileToTmpDirAndOpenIt in all advisory sources. The function: 1. Constructs OS commands using exec() with unsanitized user input (filename parameter) 2. Uses string interpolation to build commands like start ${path}/open ${path} 3. Was completely removed in the patched version (1.3.2) as seen in the commit diff 4. Has a documented PoC demonstrating injection via filename parameter 5. Directly matches CWE-77 command injection pattern of unsafe user input in OS commands

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** *y*l*-import-****k ***or* v*rsion *.*.* is vuln*r**l* to *omm*n* Inj**tion vi* t** `writ**il*ToTmp*ir*n*Op*nIt` *un*tion *u* to improp*r us*r-input s*nitiz*tion.

Reasoning

T** vuln*r**ility is *xpli*itly *ttri*ut** to writ**il*ToTmp*ir*n*Op*nIt in *ll **visory sour**s. T** *un*tion: *. *onstru*ts OS *omm*n*s usin* *x**() wit* uns*nitiz** us*r input (*il*n*m* p*r*m*t*r) *. Us*s strin* int*rpol*tion to *uil* *omm*n*s lik