Command Execution Vulnerability in OpenSSL NPM Package by OpenSSL
CVE-2023-49210

9.8CRITICAL

Key Information:

Vendor: Node-OpenSSL Project
Status: Node-OpenSSL
Vendor: CVE Published:; 23 November 2023

Summary

A command execution vulnerability exists in the OpenSSL NPM package, which functions as a wrapper lacking real purpose. It accepts an 'opts' argument containing a 'verb' field, potentially allowing malicious users to execute arbitrary commands. This issue primarily affects legacy products that are no longer maintained, leaving them susceptible to exploitation and security breaches.

References

https://gist.github.com/mcoimbra/b05a55a5760172dccaa0a827...

https://github.com/ossf/malicious-packages/tree/main/mali...

https://www.npmjs.com/package/openssl

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 23, 2023
Vulnerability Reserved
Nov 23, 2023