Lucene search

GitHub Advisory DatabaseGHSA-QJG4-W4C6-F6C6

HistoryJun 18, 2020 - 7:23 p.m.

Command injection in mversion

2020-06-1819:23:17

CWE-77

GitHub Advisory Database

github.com

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

0.002 Low

EPSS

Percentile

60.7%

JSON

Impact

This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

Patches

Patched by version 2.0.0. Previous releases are deprecated in npm.

Workarounds

Make sure to escape git commit messages when using the commitMessage option for the update function.

Affected configurations

Vulners

Node

mversion_projectmversionRange<2.0.0

CPENameOperatorVersion
mversionlt2.0.0

CPE	Name	Operator	Version
	mversion	lt	2.0.0

References

github.com/advisories/GHSA-qjg4-w4c6-f6c6

github.com/mikaelbr/mversion/commit/6c76c9efd27c7ff5a5c6f187e8b7a435c4722338

github.com/mikaelbr/mversion/security/advisories/GHSA-qjg4-w4c6-f6c6

nvd.nist.gov/vuln/detail/CVE-2020-4059

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

0.002 Low

EPSS

Percentile

60.7%

JSON

Related for GHSA-QJG4-W4C6-F6C6