CVE-2020-11079

Опубликовано: 28 мая 2020

Источник: nvd

CVSS3: 8.6

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.

Ссылки

https://github.com/skoranga/node-dns-sync/commit/cb10a5ac7913eacc031ade7d91596277f31645dc
Patch
Third Party Advisory
https://github.com/skoranga/node-dns-sync/security/advisories/GHSA-wh69-wc6q-7888
Third Party Advisory
https://github.com/skoranga/node-dns-sync/commit/cb10a5ac7913eacc031ade7d91596277f31645dc
Patch
Third Party Advisory
https://github.com/skoranga/node-dns-sync/security/advisories/GHSA-wh69-wc6q-7888
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:node-dns-sync_project:node-dns-sync:*:*:*:*:*:*:*:*

Версия до 0.2.1 (исключая)

EPSS

Процентиль: 90%

0.05686

Низкий

8.6 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-94

CWE-77

Связанные уязвимости

GHSA-wh69-wc6q-7888

CVSS3: 8.6

github

больше 5 лет назад

Command injection in node-dns-sync

EPSS

Процентиль: 90%

0.05686

Низкий

8.6 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-94

CWE-77