CVE-2021-29300:Command Injection Vulnerability in @ronomon/opened Library

splash
Back

Description Preview

The @ronomon/opened library versions before 1.5.2 contain a command injection vulnerability (CWE-78). This vulnerability allows remote attackers to execute arbitrary commands on the host system when the library processes untrusted input. The vulnerability occurs because the library does not properly sanitize or validate user-supplied input before using it in system commands.

Overview

The @ronomon/opened library is used to determine if a file is currently opened by another process. The vulnerability exists in versions prior to 1.5.2, where the library fails to properly sanitize input parameters before passing them to system commands. An attacker who can control the input passed to the library can inject malicious commands that will be executed with the privileges of the application using the library. This is particularly dangerous in web applications or services that process user-supplied filenames or paths and use this library to check if files are in use.

Remediation

To remediate this vulnerability, users should:

  1. Update the @ronomon/opened library to version 1.5.2 or later.
  2. If updating is not immediately possible, implement input validation and sanitization before passing any user-controlled data to the library.
  3. Consider using the principle of least privilege for applications that use this library, limiting the potential impact of command execution.
  4. Review application code to ensure that untrusted input is never passed directly to the library without proper validation.

References

  1. Checkmarx Security Advisory: https://advisory.checkmarx.net/advisory/CX-2021-4775
  2. Patch commit: https://github.com/ronomon/opened/commit/7effe011d4fea8fac7f78c00615e0a6e69af68ec
  3. CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): https://cwe.mitre.org/data/definitions/78.html

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  5. Construction
    Construction
  6. Educational Services
    Educational Services
  7. Finance and Insurance
    Finance and Insurance
  8. Health Care & Social Assistance
    Health Care & Social Assistance
  9. Information
    Information
  10. Management of Companies & Enterprises
    Management of Companies & Enterprises
  11. Manufacturing
    Manufacturing
  12. Mining
    Mining
  13. Other Services (except Public Administration)
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  15. Public Administration
    Public Administration
  16. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  17. Retail Trade
    Retail Trade
  18. Transportation & Warehousing
    Transportation & Warehousing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background