Описание
OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4.
A flaw was found in npm-lockfile, where npm-lockfile v2 did not sanitize the only parameter before invoking sensitive command execution API with the input. This issue leads to a command injection vulnerability.
Отчет
This flaw only affects npm-lockfile v2. Red Hat Enterprise Linux is not affected by this issue as it ships npm-lockfile v1. Note that the impact is Low as there is no way for external attackers to provide unsafe input and exploit the issue. See huntr vulnerability report (External References) for more information in this regard.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | 389-ds:1.4/389-ds-base | Not affected | ||
| Red Hat Enterprise Linux 8 | cockpit | Not affected | ||
| Red Hat Enterprise Linux 8 | cockpit-appstream | Not affected | ||
| Red Hat Enterprise Linux 8 | container-tools:2.0/cockpit-podman | Not affected | ||
| Red Hat Enterprise Linux 8 | container-tools:rhel8/cockpit-podman | Not affected | ||
| Red Hat Enterprise Linux 8 | nodejs:12/nodejs | Not affected | ||
| Red Hat Enterprise Linux 8 | nodejs:14/nodejs | Not affected | ||
| Red Hat Software Collections | rh-nodejs12-nodejs | Not affected | ||
| Red Hat Software Collections | rh-nodejs14-nodejs | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4.
EPSS
5.3 Medium
CVSS3