Backdoor in veged/coa NPM repository



Published: 2021-11-04
Risk Critical
Patch available YES
Number of vulnerabilities 1
CVE-ID N/A
CWE-ID CWE-506
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerable software
Subscribe
coa
Universal components / Libraries / Libraries used by multiple products

Vendor Sergey Berezhnoy

Security Bulletin

This security bulletin contains one critical risk vulnerability.

1) Embedded malicious code (backdoor)

EUVDB-ID: #VU57962

Risk: Critical

CVSSv3.1:

CVE-ID: N/A

CWE-ID: CWE-506 - Embedded Malicious Code

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) that allows a remote attacker to gain unauthorized access to the application.

The npm package has been compromised and includes cryptomining and password stealing malware.

Mitigation

The latest version of the software is 2.0.2, which does not have malicious code.

Vulnerable software versions

coa: 2.0.3 - 2.1


CPE2.3 External links

http://ezplatform.com/security-advisories/ibexa-sa-2021-009-malicious-code-in-npm-veged-coa
http://github.com/veged/coa/issues/99

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###