Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-7789

Опубликовано: 11 дек. 2020
Источник: redhat
CVSS3: 5.6
EPSS Низкий

Описание

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

A flaw was found in node-notifier. An attacker can run arbitrary commands on Linux machines due to the options params not being sanitized when being passed an array.

Отчет

Whilst the OpenShift ServiceMesh (OSSM) and OpenShift Container Platform (OCP) containers include the vulnerable nodejs-node-notifier library, the successful exploitation requires additional packages on the node (like desktop notification library) which are not part of the OpenShift ServiceMesh or OpenShift Container Platform products. Additionally access to the vulnerable nodejs-node-notifier library is restricted to authenticated users only (OpenShift OAuth authentication). Therefore these OSSM and OCP components have been marked as wont-fix and may be addressed in a future updates. OpenShift ServiceMesh (OSSM) 1.1 is out of support scope for Moderate and Low impact vulnerabilities, hence is marked Out Of Support Scope. The nodejs-notifier library was present in Red Hat Advanced Cluster Management for Kubernetes version 2.0, but is no longer used since version 2.1. Customers are advised to upgrade to the latest version which is fully supported, does not include this vulnerability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Service Mesh 1kialiOut of support scope
OpenShift Service Mesh 1servicemesh-grafanaOut of support scope
OpenShift Service Mesh 1servicemesh-prometheusOut of support scope
OpenShift Service Mesh 2.0servicemesh-grafanaWill not fix
OpenShift Service Mesh 2.0servicemesh-prometheusWill not fix
Red Hat Advanced Cluster Management for Kubernetes 2node-notifierOut of support scope
Red Hat OpenShift Container Platform 4openshift4/ose-consoleWill not fix
Red Hat OpenShift Container Platform 4openshift4/ose-grafanaWill not fix
Red Hat OpenShift Container Platform 4openshift4/ose-prometheusWill not fix
Red Hat OpenShift Container Platform 4openshift4/ose-thanos-rhel8Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-78
https://bugzilla.redhat.com/show_bug.cgi?id=1906853nodejs-node-notifier: command injection due to the options params not being sanitised when being passed an array

EPSS

Процентиль: 42%
0.00197
Низкий

5.6 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2020-7789

CVSS3: 5.6
nvd
около 5 лет назад

This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

github логотип

GHSA-5fw9-fq32-wv5p

CVSS3: 5.6
github
около 5 лет назад

OS Command Injection in node-notifier

fstec логотип

BDU:2021-03206

CVSS3: 5.6
fstec
около 5 лет назад

Уязвимость пакета node-notifier, связанная с непринятием мер по нейтрализации специальных элементов, используемых в командах операционной системы, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 42%
0.00197
Низкий

5.6 Medium

CVSS3