CVE-2019-10799

Опубликовано: 24 фев. 2020

Источник: nvd

CVSS3: 8.2

CVSS2: 8.5

EPSS Низкий

Описание

compile-sass prior to 1.0.5 allows execution of arbritary commands. The function "setupCleanupOnExit(cssPath)" within "dist/index.js" is executed as part of the "rm" command without any sanitization.

Ссылки

https://github.com/eiskalteschatten/compile-sass/commit/d9ada7797ff93875b6466dea7a78768e90a0f8d2
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-COMPILESASS-551804
Exploit
Third Party Advisory
https://github.com/eiskalteschatten/compile-sass/commit/d9ada7797ff93875b6466dea7a78768e90a0f8d2
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-COMPILESASS-551804
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:compile-sass_project:compile-sass:*:*:*:*:*:*:*:*

Версия до 1.0.5 (исключая)

EPSS

Процентиль: 62%

0.00432

Низкий

8.2 High

CVSS3

8.5 High

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-79qm-h35f-hr77

CVSS3: 9.8

github

почти 5 лет назад

OS Command Injection in compile-sass