CVE-2014-9682

Published: Feb 28, 2015Modified: May 6, 2026

10.0

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability: 10.0 / Impact: 10.0

Source: NVD

Description

The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

Affected (1)

Products: Dns Sync Project: Dns Sync

Dns Sync Project

1 product

Dns Sync

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dns Sync Project Dns Sync	Up to 0.1.0

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (6)

http://www.openwall.com/lists/oss-security/2014/11/11/6

Source: cve@mitre.org

https://github.com/skoranga/node-dns-sync/commit/d9abaae384b198db1095735ad9c1c73d7b890a0d

Source: cve@mitre.org

https://github.com/skoranga/node-dns-sync/issues/1

Source: cve@mitre.org

http://www.openwall.com/lists/oss-security/2014/11/11/6

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/skoranga/node-dns-sync/commit/d9abaae384b198db1095735ad9c1c73d7b890a0d

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/skoranga/node-dns-sync/issues/1

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.