Miggo Logo
Miggo Vulnerability Database
CVE-2022-24431

CVE-2022-24431:
abacus-ext-cmdline vulnerable to Command Injection

7.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-24431
GHSA ID
GHSA-m5v8-wpw4-rj3x
EPSS Score
0.54105%
CWE
CWE-78
Published
12/21/2022
Updated
8/17/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
abacus-ext-cmdlinenpm<= 0.0.6-dev.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. Multiple authoritative sources (GitHub Advisory, NVD, Snyk) explicitly identify the execute function as the injection vector.
  2. The provided PoC demonstrates command injection via root.execute() with untrusted input containing shell operators (&).
  3. CWE-78 classification confirms this is a command injection vulnerability where user input flows directly to OS commands.
  4. While exact implementation details aren't available, the consistent function name across reports and PoC usage provides high confidence in this assessment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* p**k*** ****us-*xt-*m*lin* *r* vuln*r**l* to *omm*n* Inj**tion vi* t** *x**ut* *un*tion *u* to improp*r us*r-input s*nitiz*tion.

Reasoning

*. Multipl* *ut*orit*tiv* sour**s (*it*u* **visory, NV*, Snyk) *xpli*itly i**nti*y t** *x**ut* *un*tion *s t** inj**tion v**tor. *. T** provi*** Po* **monstr*t*s *omm*n* inj**tion vi* root.*x**ut*() wit* untrust** input *ont*inin* s**ll op*r*tors (&)