CVE-2021-43837 – Template injection in vault-cli
https://notcve.org/view.php?id=CVE-2021-43837
vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. In versions before 3.0.0 vault-cli features the ability for rendering templated values. When a secret starts with the prefix `!template!`, vault-cli interprets the rest of the contents of the secret as a Jinja2 template. • https://github.com/peopledoc/vault-cli/commit/3ba3955887fd6b7d4d646c8b260f21cebf5db852 https://github.com/peopledoc/vault-cli/security/advisories/GHSA-q34h-97wf-8r8j https://podalirius.net/en/publications/grehack-2021-optimizing-ssti-payloads-for-jinja2 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2020-7633
https://notcve.org/view.php?id=CVE-2020-7633
apiconnect-cli-plugins through 6.0.1 is vulnerable to Command Injection.It allows execution of arbitrary commands via the pluginUri argument. apiconnect-cli-plugins versiones hasta 6.0.1, es vulnerable a una Inyección de Comandos. Permite una ejecución de comandos arbitrarios por medio del argumento pluginUri. • https://openbase.io/js/apiconnect-cli-plugins https://snyk.io/vuln/SNYK-JS-APICONNECTCLIPLUGINS-564427 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2017-16155
https://notcve.org/view.php?id=CVE-2017-16155
fast-http-cli is the command line interface for fast-http, a simple web server. fast-http-cli is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. "fast-http-cli" es la interfaz de línea de comandos para fast-http, un sencillo servidor web. "fast-http-cli" es vulnerable a un problema de salto de directorio que otorga a un atacante acceso al sistema de archivos colocando "../" en la URL. • https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/fast-http-cli https://nodesecurity.io/advisories/383 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2016-10657
https://notcve.org/view.php?id=CVE-2016-10657
co-cli-installer downloads the co-cli module as part of the install process, but does so over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server. co-cli-installer descarga el módulo co-cli como parte del proceso de instalación, pero lo hace mediante HTTP, lo que lo deja vulnerable a ataques MITM. Podría ser posible provocar la ejecución remota de código (RCE) cambiando los recursos solicitados por otros controlados por el atacante si éste están en la red o posicionado entre el usuario y el servidor remoto. • https://nodesecurity.io/advisories/268 • CWE-310: Cryptographic Issues CWE-311: Missing Encryption of Sensitive Data •
CVE-2016-10597
https://notcve.org/view.php?id=CVE-2016-10597
cobalt-cli downloads resources over HTTP, which leaves it vulnerable to MITM attacks. cobalt-cli descarga recursos binarios por HTTP, lo que lo deja vulnerable a ataques MITM. • https://nodesecurity.io/advisories/197 • CWE-311: Missing Encryption of Sensitive Data •