Skip to content

Command Injection in egg-scripts

low severity Published Sep 17, 2018 • Updated Jan 8, 2021

Package

npm egg-scripts (npm)

Affected versions

< 2.8.1

Patched versions

2.8.1

Description

Versions of egg-scripts before 2.8.1 are vulnerable to command injection. This is only exploitable if a malicious argument is provided on the command line.

Example:
eggctl start --daemon --stderr='/tmp/eggctl_stderr.log; touch /tmp/malicious'

Recommendation

Update to version 2.8.1 or later.

References

CVE ID

CVE-2018-3786