Lucene search

GitHub Advisory DatabaseGHSA-3P94-VJ97-FM4Q

HistoryDec 09, 2021 - 7:56 p.m.

OS Command Injection in fsa

2021-12-0919:56:44

CWE-78

GitHub Advisory Database

github.com

os command injection

fsa

vulnerability

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

22.9%

JSON

fsa through 0.5.1 is vulnerable to Command Injection. The first argument of ‘execGitCommand()’, located within ‘lib/rep.js#63’ can be controlled by users without any sanitization to inject arbitrary commands.

Affected configurations

Vulners

Node

fsa_projectfsaRange≤0.5.1

VendorProductVersionCPE
fsa_projectfsa*cpe:2.3:a:fsa_project:fsa:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fsa_project	fsa	*	cpe:2.3:a:fsa_project:fsa::::::::

References

github.com/advisories/GHSA-3p94-vj97-fm4q

github.com/gregof/fsa/blob/master/lib/rep.js#L12

nvd.nist.gov/vuln/detail/CVE-2020-7615

snyk.io/vuln/SNYK-JS-FSA-564118

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

22.9%

JSON

Related for GHSA-3P94-VJ97-FM4Q