Command Injection in clamscan

#VU26639 Command Injection in clamscan

Published: 2020-04-07 | Updated: 2021-09-22

Vulnerability identifier: #VU26639

Vulnerability risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-7613

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
clamscan
Universal components / Libraries / Libraries used by multiple products

Vendor: Kyle Farris

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the "_is_clamav_binary" function in "Index.js". A remote attacker can execute arbitrary commands on the target system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

clamscan: 0.2.1 - 1.2.0

External links
http://snyk.io/vuln/SNYK-JS-CLAMSCAN-564113
http://github.com/kylefarris/clamscan/blob/master/index.js#L34

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Arch Linux update for clamav

Command Injection in clamscan library