GHSA-5mrr-rgp6-x4gr

Опубликовано: 03 сент. 2020

Источник: github

Github: Прошло ревью

Описание

Command Injection in marsdb

All versions of marsdb are vulnerable to Command Injection. In the DocumentMatcher class, selectors on $where clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Ссылки

https://github.com/bkimminich/juice-shop/issues/1173
https://www.npmjs.com/advisories/1122

Пакеты

Наименование

marsdb

npm

Затронутые версииВерсия исправления

>= 0.0.0

Отсутствует

Дефекты

CWE-77

Дефекты

CWE-77