Description
Version of kerberos prior to 1.0.0 are vulnerable to DLL Injection. The package loads DLLs without specifying a full path. This may allow attackers to create a file with the same name in a folder that precedes the intended file in the DLL path search. Doing so would allow attackers to execute arbitrary code in the machine.
Recommendation
Update the kerberos package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.0.0
- Patched version(s): 1.0.0
References
- GHSA-m2mx-rfpw-jghv
- www.npmjs.com
- medium.com
- www.linkedin.com
- www.op-c.net
- CVE-2020-13110
- CWE-427
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Uncaught Exception in yaml - CVE-2023-2251
- Open Redirect in url-parse - CVE-2018-3774
- Simditor XSS Vulnerability - CVE-2018-6464
- RSSHub SSRF vulnerability - CVE-2023-22493
- Tags:
- npm
- kerberos
Anything's wrong? Let us know Last updated on August 21, 2023