GHSA-8whr-v3gm-w8h9

Опубликовано: 03 сент. 2020

Источник: github

Github: Прошло ревью

CVSS3: 8.1

Описание

Duplicate Advisory: Command Injection in node-rules

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-f78f-353m-cf4j. This link is maintained to preserve external references.

Original Description

Versions of node-rules prior to 5.0.0 are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an eval call when using the fromJSON function. This may allow attackers to execute arbitrary code in the system if the rules are user-controlled.

Recommendation

Upgrade to version 5.0.0 or later.

Ссылки

https://github.com/mithunsatheesh/node-rules/issues/84
https://github.com/mithunsatheesh/node-rules/commit/100862223904bb6478fcc33b701c7dee11f7b832
https://snyk.io/vuln/SNYK-JS-NODERULES-560426

Пакеты

Наименование

node-rules

npm

Затронутые версииВерсия исправления

< 5.0.0

5.0.0

8.1 High

CVSS3

Дефекты

CWE-78

8.1 High

CVSS3

Дефекты

CWE-78