Lucene search
GoogleOSV:GHSA-XRJF-PHVV-R4VRHistoryFeb 27, 2022 - 12:00 a.m.
Command injection in strapi
2022-02-2700:00:15
Google
osv.dev
7
0.001 Low
EPSS
Percentile
47.5%
When creating a strapi app using npxcreate-strapi-app, we can inject arbitrary commands through the template cli argument as per the code in this particular link, this happens due to improper sanitization of user input.
References
github.com/strapi/strapi
github.com/strapi/strapi/blob/master/packages/generators/app/lib/utils/fetch-npm-template.js#L13
github.com/strapi/strapi/commit/2a3f5e988be6a2c7dae5ac22b9e86d579b462f4c
github.com/strapi/strapi/issues/12879
huntr.dev/bounties/001d1c29-805a-4035-93bb-71a0e81da3e5
nvd.nist.gov/vuln/detail/CVE-2022-0764
www.github.com/strapi/strapi/commit/2a3f5e988be6a2c7dae5ac22b9e86d579b462f4c
Related
osv
osv
CVE-2022-0764
2022-02-26 15:15:07
cve
cve
CVE-2022-0764
2022-02-26 15:15:07
huntr
huntr
Arbitrary Command Injection
2022-02-17 15:58:55
cnvd
cnvd
strapi OS command injection vulnerability
2022-03-01 00:00:00
prion
prion
Command injection
2022-02-26 15:15:00
nvd
nvd
CVE-2022-0764
2022-02-26 15:15:07
github
github
Command injection in strapi
2022-02-27 00:00:15
veracode
veracode
Remote Code Execution (RCE)
2022-02-28 07:12:12
cvelist
cvelist
CVE-2022-0764 Arbitrary Command Injection in strapi/strapi
2022-02-26 14:55:09