CVE-2021-23399 – CVE-2021-23399 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-23399?

CVE-2021-23399 has a CVSS score of 7.3 (HIGH). CVE-2021-23399 is a command injection vulnerability in the wincred npm package that allows attackers to execute arbitrary commands on systems using vulnerable versions. This occurs when untrusted user input reaches the getCredential function, which uses child_process.exec without proper sanitization. All applications using wincred are affected.

📋 TL;DR

CVE-2021-23399 is a command injection vulnerability in the wincred npm package that allows attackers to execute arbitrary commands on systems using vulnerable versions. This occurs when untrusted user input reaches the getCredential function, which uses child_process.exec without proper sanitization. All applications using wincred are affected.

💻 Affected Systems

Products:

wincred npm package

Versions: All versions before patched version

Operating Systems: Windows, Linux, macOS - any OS where Node.js runs

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using wincred's getCredential function with user-controlled input is vulnerable by default.

📦 What is this software?

Wincred by Wincred Project

View all CVEs affecting Wincred →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary commands with the privileges of the wincred process, potentially leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Limited command execution within the application's context, potentially allowing credential theft, lateral movement, or data exfiltration.

🟢

If Mitigated

No impact if input validation prevents untrusted data from reaching the vulnerable function or if the package is patched.

🌐 Internet-Facing: HIGH if wincred processes user input from external sources without validation.

🏢 Internal Only: MEDIUM if wincred only processes internal data, but could still be exploited via internal attacks or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - attacker needs to control input to getCredential function. Public PoCs demonstrate command injection via shell metacharacters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check npm registry for latest patched version

Vendor Advisory: https://github.com/rolangom/wincred/security/advisories

Restart Required: Yes

Instructions:

1. Update wincred to latest version via npm update wincred. 2. Restart all Node.js applications using wincred. 3. Verify no regressions in credential management functionality.

🔧 Temporary Workarounds

Input validation wrapper

all

Implement strict input validation before passing data to wincred functions

// JavaScript example: validate input before calling getCredential
function safeGetCredential(input) {
  if (!/^[a-zA-Z0-9_-]+$/.test(input)) {
    throw new Error('Invalid input');
  }
  return wincred.getCredential(input);
}

🧯 If You Can't Patch

Implement strict input validation and sanitization for all data passed to wincred functions
Use alternative credential management libraries that don't have this vulnerability

🔍 How to Verify

Check if Vulnerable:

Check package.json for wincred dependency and version. Vulnerable if using any version before the patched release.

Check Version:

npm list wincred

Verify Fix Applied:

Verify wincred version in package.json is updated to patched version and test credential functionality works without security issues.

📡 Detection & Monitoring

Log Indicators:

Unusual child process executions from Node.js applications
Failed credential retrieval attempts with suspicious characters
Error logs showing command execution failures

Network Indicators:

Outbound connections from Node.js processes to unexpected destinations
Command and control traffic patterns

SIEM Query:

process.name: "node" AND process.cmdline: (*cmd.exe* OR *powershell* OR *sh* OR *bash*) AND NOT process.cmdline: expected_normal_command

📊 Metadata

CVE ID: CVE-2021-23399

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-78

Published: June 28, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/rolangom/wincred/blob/3fd39186ee32add9c12046cdccf2765d19565335/index.ts%23L20 Broken Link
https://snyk.io/vuln/SNYK-JS-WINCRED-1078538 Exploit,Third Party Advisory
https://github.com/rolangom/wincred/blob/3fd39186ee32add9c12046cdccf2765d19565335/index.ts%23L20 Broken Link
https://snyk.io/vuln/SNYK-JS-WINCRED-1078538 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23399, you might also want to check these: