CVE-2021-21414

Опубликовано: 29 апр. 2021

Источник: nvd

CVSS3: 7.7

CVSS3: 7.2

CVSS2: 6.5

EPSS Низкий

Описание

Prisma is an open source ORM for Node.js & TypeScript. As of today, we are not aware of any Prisma users or external consumers of the @prisma/sdk package who are affected by this security vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. It only affects the getPackedPackage function and this function is not advertised and only used for tests & building our CLI, no malicious code was found after checking our codebase.

Ссылки

https://github.com/prisma/prisma/pull/6245
Patch
Third Party Advisory
https://github.com/prisma/prisma/security/advisories/GHSA-pxcc-hj8w-fmm7
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210618-0003/
Third Party Advisory
https://github.com/prisma/prisma/pull/6245
Patch
Third Party Advisory
https://github.com/prisma/prisma/security/advisories/GHSA-pxcc-hj8w-fmm7
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210618-0003/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:prisma:prisma:*:*:*:*:*:node.js:*:*

Версия до 2.20.0 (исключая)

EPSS

Процентиль: 85%

0.02563

Низкий

7.7 High

CVSS3

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-pxcc-hj8w-fmm7

CVSS3: 7.7

github

почти 5 лет назад

Command injection vulnerability in @prisma/sdk in getPackedPackage function

EPSS

Процентиль: 85%

0.02563

Низкий

7.7 High

CVSS3

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-78