GHSA-995x-33wq-8gc9

Опубликовано: 14 дек. 2022

Источник: github

Github: Прошло ревью

CVSS3: 9.8

Описание

cycle-import-check vulnerable to Command Injection

The package cycle-import-check before version 1.3.2 is vulnerable to Command Injection via the writeFileToTmpDirAndOpenIt function due to improper user-input sanitization.

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2022-24377
https://github.com/Soontao/cycle-import-check/commit/1ca97b59df7e9c704471fcb4cf042ce76d7c9890
https://security.snyk.io/vuln/SNYK-JS-CYCLEIMPORTCHECK-3157955

Пакеты

Наименование

cycle-import-check

npm

Затронутые версииВерсия исправления

< 1.3.2

1.3.2

EPSS

Процентиль: 80%

0.0137

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2022-24377

Дефекты

CWE-77

CWE-78

Связанные уязвимости

CVE-2022-24377

CVSS3: 7.4

nvd

около 3 лет назад

The package cycle-import-check before 1.3.2 are vulnerable to Command Injection via the writeFileToTmpDirAndOpenIt function due to improper user-input sanitization.

EPSS

Процентиль: 80%

0.0137

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2022-24377

Дефекты

CWE-77

CWE-78