search

safbc / Ethereum

Exploring and evaluating blockchains. This repo is focused on using Ethereum as the platform.
30 stars 18 forks source link

An attacker can craft a malicious payload to inject arbitrary commands #3

Open AlGolden opened 6 years ago

AlGolden commented 6 years ago

https://snyk.io/test/github/springblock/Ethereum?severity=high

high severity Arbitrary Code Injection

Vulnerable module: growl
Introduced through: grunt-mocha-cli@2.1.0

Detailed paths

Introduced through: blockchaininfrastructure@springblock/Ethereum#1267a1b257840e259f7a1c514a3e8656f9e1b2e3 › grunt-mocha-cli@2.1.0 › mocha@2.5.3 › growl@1.9.2

Overview

growl is a package adding Growl support for Nodejs.

Affected versions of the package are vulnerable to Arbitrary Code Injection due to unsafe use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands.