Lucene search

[email protected]CVE-2020-28494

HistoryFeb 02, 2021 - 11:15 a.m.

CVE-2020-28494

2021-02-0211:15:13

CWE-78

[email protected]

web.nvd.nist.gov

cve

2020

28494

total.js

package

image.pipe

image.stream

child_process.spawn

shell injection

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

8.5 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.5%

JSON

This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using child_process.spawn. The issue occurs because child_process.spawn is called with the option shell set to true and because the type parameter is not properly sanitized.

Affected configurations

NVD

Node

totaljstotal.jsRange<3.4.7node.js

CPENameOperatorVersion
totaljs:total.jstotaljs total.jslt3.4.7

CPE	Name	Operator	Version
totaljs:total.js	totaljs total.js	lt	3.4.7

CNA Affected

[
  {
    "product": "total.js",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "3.4.7",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]