CVE-2014-9682 — dns-sync command injection vulnerability

Description

The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

How to fix CVE-2014-9682

To remediate CVE-2014-9682, upgrade the affected package to a fixed version below.

npm/dns-sync—upgrade to 0.1.1 or later

Is CVE-2014-9682 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.1.1

References (6)

ADVISORYgithub.com/advisories/GHSA-q5pq-pgrv-fh89
ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-9682
PATCHgithub.com/skoranga/node-dns-sync
WEBgithub.com/skoranga/node-dns-sync/commit/d9abaae384b198db1095735ad9c1c73d7b890a0d
WEB