A vulnerability, which was classified as critical, has been found in Summit 0.1.0 on Node.js (JavaScript Library). Affected by this issue is an unknown functionality of the component PouchDB Driver. The manipulation with an unknown input leads to a code injection vulnerability. Using CWE to declare the problem leads to CWE-94. The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary commands via the collection name.

The bug was discovered 04/15/2017. The weakness was published 06/04/2018 (Website). The advisory is available at github.com. This vulnerability is handled as CVE-2017-16020 since 10/29/2017. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1059 by the MITRE ATT&CK project.

The vulnerability was handled as a non-public zero-day exploit for at least 415 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• JavaScript Library

Name

• Summit

Version

• 0.1.0

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion