#VU57962 Embedded malicious code (backdoor) in coa
Vulnerability identifier: #VU57962
Vulnerability risk: Critical
CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-506
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
coa
Universal components / Libraries /
Libraries used by multiple products
Vendor: Sergey Berezhnoy
Description
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) that allows a remote attacker to gain unauthorized access to the application.
The npm package has been compromised and includes cryptomining and password stealing malware.
Mitigation
The latest version of the software is 2.0.2, which does not have malicious code.
Vulnerable software versions
coa: 2.0.3 - 2.1
External links
http://ezplatform.com/security-advisories/ibexa-sa-2021-009-malicious-code-in-npm-veged-coa
http://github.com/veged/coa/issues/99
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
