Описание
Arbitrary Code Injection in pouchdb
Affected versions of pouchdb do not properly sandbox the code execution engine which executes the map/reduce functions for temporary views and design documents. Under certain circumstances, an attacker could uses this to run arbitrary code on the server.
Recommendation
Update to version 6.0.5 or later.
Пакеты
Наименование
pouchdb
npm
Затронутые версииВерсия исправления
< 6.0.5
6.0.5
Связанные уязвимости
CVSS3: 9.8
nvd
больше 7 лет назад
An arbitrary code injection vector was found in PouchDB 6.0.4 and lesser via the map/reduce functions used in PouchDB temporary views and design documents. The code execution engine for this branch is not properly sandboxed and may be used to run arbitrary JavaScript as well as system commands.
CVSS3: 9.8
fstec
больше 9 лет назад
Уязвимость реализации функций map/reduce базы данных PouchBD, позволяющая нарушителю выполнить произвольный код