CVE-2019-10061
https://notcve.org/view.php?id=CVE-2019-10061
utils/find-opencv.js in node-opencv (aka OpenCV bindings for Node.js) prior to 6.1.0 is vulnerable to Command Injection. It does not validate user input allowing attackers to execute arbitrary commands. utils/find-opencv.js in node-opencv (también conocido como enlaces de OpenCV para Node.js), en versiones anteriores a la 6.1.0, es vulnerable a la inyección de comandos. No valida la entrada de usuario permitiendo, así, que los atacantes ejecuten comandos arbitrarios. • https://github.com/ossf-cve-benchmark/CVE-2019-10061 https://github.com/peterbraden/node-opencv/commit/81a4b8620188e89f7e4fc985f3c89b58d4bcc86b https://github.com/peterbraden/node-opencv/commit/aaece6921d7368577511f06c94c99dd4e9653563 https://www.npmjs.com/advisories/789 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2017-16067
https://notcve.org/view.php?id=CVE-2017-16067
node-opencv was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. node-opencv era un módulo malicioso publicado para secuestrar variables de entorno. Ha sido retirado por npm. • https://nodesecurity.io/advisories/506 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-506: Embedded Malicious Code •
CVE-2017-16066
https://notcve.org/view.php?id=CVE-2017-16066
opencv.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. "opencv.js" era un módulo malicioso publicado para secuestrar variables de entorno. Ha sido retirado por npm. • https://nodesecurity.io/advisories/505 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-506: Embedded Malicious Code •
CVE-2016-10658
https://notcve.org/view.php?id=CVE-2016-10658
native-opencv is the OpenCV library installed via npm native-opencv downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server. native-opencv es la biblioteca de OpenCV instalada mediante npm. native-opencv descarga recursos binarios por HTTP, lo que lo deja vulnerable a ataques MITM. Podría ser posible provocar la ejecución remota de código (RCE) cambiando los recursos solicitados por otros controlados por el atacante si éste está en la red o posicionado entre el usuario y el servidor remoto. • https://nodesecurity.io/advisories/263 • CWE-310: Cryptographic Issues CWE-311: Missing Encryption of Sensitive Data •
CVE-2018-7713
https://notcve.org/view.php?id=CVE-2018-7713
The validateInputImageSize function in modules/imgcodecs/src/loadsave.cpp in OpenCV 3.4.1 allows remote attackers to cause a denial of service (assertion failure) because (size.width <= (1<<20)) may be false. Note: “OpenCV CV_Assert is not an assertion (C-like assert()), it is regular C++ exception which can raised in case of invalid or non-supported parameters. ** EN DISPUTA ** La función validateInputImageSize en modules/imgcodecs/src/loadsave.cpp en OpenCV versión 3.4.1 permite a los atacantes remotos causar una denegación de servicio (assertion failure) porque (size.width menor= (1 menor 20)) puede ser falso Nota: "OpenCV CV_Assert no es una aserción (C-like assert()), es una excepción normal de C ++ que se puede generar en caso de parámetros no válidos o no admitidos". • https://github.com/opencv/opencv/issues/10998 https://github.com/xiaoqx/pocs/tree/master/opencv/dos-by-assert • CWE-617: Reachable Assertion •