Growl before 1.10.0 vulnerable to Command Injection
RSS Feed
CRITICAL
GHSA-qh2h-chj9-jffq
CVE-2017-16042
Description:
Affected versions of growl do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.
Recommendation
Update to version 1.10.0 or later.
Affected Packages
| Ecosystem | Package | Vulnerable Versions | Patched Version |
|---|---|---|---|
| npm |
growl
|
< 1.10.0 |
1.10.0
|
Actions
Advisory Details
| Published: | June 08, 2018 about 8 years ago |
| Updated: | June 16, 2026 about 9 hours ago |
| CVSS Score: | 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS: | 0.35% 58th percentile |
| Source: | Github |
| Classification: | GENERAL |
| UUID: | MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFoMmgtY2hqOS1qZmZx |
References
- https://nvd.nist.gov/vuln/detail/CVE-2017-16042
- https://github.com/tj/node-growl/issues/60
- https://github.com/tj/node-growl/pull/61
- https://www.npmjs.com/advisories/146
- https://github.com/tj/node-growl/pull/62
- https://github.com/tj/node-growl/commit/d71177d5331c9de4658aca62e0ac921f178b0669
- https://github.com/advisories/GHSA-qh2h-chj9-jffq