CVE-2021-34084 – This CVE describes an OS command injection vuln... (How to Fix)

Q: What is the severity of CVE-2021-34084?

CVE-2021-34084 has a CVSS score of 9.8 (CRITICAL). This CVE describes an OS command injection vulnerability in the Turistforeningen node-s3-uploader npm package for Node.js. Attackers can execute arbitrary commands on the server by exploiting the metadata() function. Any Node.js application using vulnerable versions of this package is affected.

📋 TL;DR

This CVE describes an OS command injection vulnerability in the Turistforeningen node-s3-uploader npm package for Node.js. Attackers can execute arbitrary commands on the server by exploiting the metadata() function. Any Node.js application using vulnerable versions of this package is affected.

💻 Affected Systems

Products:

Turistforeningen node-s3-uploader

Versions: through 2.0.3

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use the vulnerable metadata() function. The package is used for uploading files to Amazon S3.

📦 What is this software?

S3 Uploader by S3 Uploader Project

View all CVEs affecting S3 Uploader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attackers to execute arbitrary commands with the privileges of the Node.js process, potentially leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Remote code execution leading to data exfiltration, cryptocurrency mining, or lateral movement within the network.

🟢

If Mitigated

Limited impact due to proper input validation, sandboxing, or least-privilege execution contexts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to control input to the metadata() function. Public proof-of-concept exists in advisory references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.4

Vendor Advisory: https://advisory.checkmarx.net/advisory/CX-2021-4776

Restart Required: Yes

Instructions:

1. Update package.json to specify node-s3-uploader version 2.0.4 or higher. 2. Run 'npm update node-s3-uploader'. 3. Restart the Node.js application.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation and sanitization for all user inputs passed to the metadata() function.

Remove or disable vulnerable function

all

If metadata() function is not essential, remove or disable its usage in the application.

🧯 If You Can't Patch

Implement network segmentation to isolate affected systems from critical assets.
Deploy application-level firewalls (WAF) with command injection detection rules.

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/node-s3-uploader/package.json for version <=2.0.3.

Check Version:

npm list node-s3-uploader | grep node-s3-uploader

Verify Fix Applied:

Verify package.json specifies version >=2.0.4 and check installed version with 'npm list node-s3-uploader'.

📡 Detection & Monitoring

Log Indicators:

Unusual process executions from Node.js, unexpected command-line arguments, failed command executions

Network Indicators:

Outbound connections to suspicious IPs from Node.js process, unexpected data exfiltration

SIEM Query:

process.name:node AND cmdline:*metadata* AND (cmdline:*;* OR cmdline:*&* OR cmdline:*|*)

📊 Metadata

CVE ID: CVE-2021-34084

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: June 2, 2022

Last Updated: November 21, 2024

🔗 References

https://advisory.checkmarx.net/advisory/CX-2021-4776 Exploit,Third Party Advisory
https://advisory.checkmarx.net/advisory/CX-2021-4776 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34084, you might also want to check these: