Command Injection

Overview

CVE-2022-24431 affects all versions of the abacus-ext-cmdline npm package. The vulnerability is a command injection flaw in the execute function, which fails to properly sanitize user-supplied input before passing it to a system command [1][2]. This allows an attacker to inject arbitrary shell commands.

Exploitation

An attacker can exploit this vulnerability by providing a crafted string to the execute function. For example, the proof-of-concept demonstrates that passing "& touch JHU &" results in execution of the touch command [2]. No authentication is required if the attacker can control the input to this function, which may occur in applications that use the package to process user-provided command-line arguments.

Impact

Successful exploitation leads to arbitrary command execution with the privileges of the application or process that invokes the execute function. This can result in full system compromise, data exfiltration, or further lateral movement within the network.

Mitigation

As of the publication date, there is no patched version of abacus-ext-cmdline [2]. The package appears to be unmaintained. Users are advised to avoid using this package altogether or to implement strict input validation and sanitization as a workaround. Organizations should assess their exposure and consider replacing the package with a maintained alternative.