CVE-2020-7602

Опубликовано: 15 мар. 2020

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand()" is called by "getDevices()" function in file "linux/manager.js", which is required by the "index. process.env.NM_CLI" in the file "linux/manager.js". This function is used to construct the argument of function "execSync()", which can be controlled by users without any sanitization.

Ссылки

https://snyk.io/vuln/SNYK-JS-NODEPROMPTHERE-560115
Exploit
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-NODEPROMPTHERE-560115
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:node-prompt-here_project:node-prompt-here:*:*:*:*:*:node.js:*:*

Версия до 1.0.1 (включая)

EPSS

Процентиль: 62%

0.00426

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-f8fh-8rgm-227h