CVE-2021-34083
Last modified
CVE-2021-34083 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. Google-it is a Node.js package which allows its users to send search queries to Google and receive the results in a JSON format. When using the 'Open in browser' option in versions up to 1.6.2, google-it will unsafely concat the result's link retrieved from google to a shell command, potentially exposing the server to RCE.. EPSS estimates a 1.92% chance of exploitation in the next 30 days.
Description
Google-it is a Node.js package which allows its users to send search queries to Google and receive the results in a JSON format. When using the 'Open in browser' option in versions up to 1.6.2, google-it will unsafely concat the result's link retrieved from google to a shell command, potentially exposing the server to RCE.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Google-It Project | Google-It | <= 1.6.2 |
References
- https://advisory.checkmarx.net/advisory/CX-2021-4777Exploit, Third Party Advisory
- https://github.com/PatNeedham/google-it/blob/v1.6.2/lib/googleIt.js#L59Exploit, Third Party Advisory
- https://github.com/PatNeedham/google-it/blob/v1.6.2/src/googleIt.js#L34Exploit, Third Party Advisory
- https://advisory.checkmarx.net/advisory/CX-2021-4777Exploit, Third Party Advisory
- https://github.com/PatNeedham/google-it/blob/v1.6.2/lib/googleIt.js#L59Exploit, Third Party Advisory
- https://github.com/PatNeedham/google-it/blob/v1.6.2/src/googleIt.js#L34Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-34083?
How severe is CVE-2021-34083?
How do I fix CVE-2021-34083?
Are you affected by CVE-2021-34083?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST