67 matches found
PYSEC-2022-238
This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method...
PYSEC-2022-238
This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method...
CVE-2019-10800
The CVE-2019-10800 issue affects the Python package codecov prior to 2.0.16, caused by inadequate sanitization of gcov arguments before passing them to subprocess popen. Impact is described in connected advisories as a code execution/command invocation risk (details vary by report). Remediation i...
CVE-2019-10800 Command Injection
This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method...
codecov 参数注入漏洞
codecov is a specialized code coverage solution open-sourced by codecov. A security vulnerability exists in codecov versions prior to 2.0.16, which stems from not cleaning up the gcov parameter before supplying it to the popen method...
PT-2022-8076 · Codecov +1 · Codecov +1
Name of the Vulnerable Software and Affected Versions: codecov versions prior to 2.0.16 Description: The issue arises from the failure to sanitize gcov arguments before they are provided to the popen method. This lack of sanitization can lead to potential exploitation. Recommendations: For versio...
Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov
Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument...
GHSA-MH2H-6J8Q-X246 Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov
Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument...
Securing the Supply Chain: Lessons Learned from the Codecov Compromise
Supply chain attacks are all the rage these days. While they’re not a new part of the threat landscape, they are growing in popularity among more sophisticated threat actors, and they can create significant system-wide disruption, expense, and loss of confidence across multiple organizations,...
Google Releases New Framework to Prevent Software Supply Chain Attacks
As software supply chain attacks emerge as a point of concern in the wake of SolarWinds and Codecov security incidents, Google is proposing a solution to ensure the integrity of software packages and prevent unauthorized modifications. Called "Supply chain Levels for Software Artifacts" SLSA, and...
Replacement of bash script by an attacker to one that includes malicious commands in Codecov Bash uploader version All versions downloaded from Jan 2021 through April 2021. Because the attacker had control of the script the version # included in it cannot be trusted.
In Codecov Codecov Bash uploader version All versions downloaded from Jan 2021 through April 2021. Because the attacker had control of the script the version included in it cannot be trusted. a Replacement of bash script by an attacker to one that includes malicious commands exists in the The Bas...
GSD-2021-1000009 Replacement of bash script by an attacker to one that includes malicious commands in Codecov Bash uploader version All versions downloaded from Jan 2021 through April 2021. Because the attacker had control of the script the version # included in it cannot be trusted.
In Codecov Codecov Bash uploader version All versions downloaded from Jan 2021 through April 2021. Because the attacker had control of the script the version included in it cannot be trusted. a Replacement of bash script by an attacker to one that includes malicious commands exists in the The Bas...
Rapid7 Source Code Breached in Codecov Supply-Chain Attack
Cybersecurity company Rapid7 on Thursday revealed that unidentified actors improperly managed to get hold of a small portion of its source code repositories in the aftermath of the software supply chain compromise targeting Codecov earlier this year. "A small subset of our source code repositorie...
Rapid7’s Response to Codecov Incident
Cybersecurity is Rapid7’s top priority, and when there is an incident that may pose a risk to our customers, we are transparent about it. We also believe that providing this level of transparency ultimately helps the security community better address potential pending threats and safeguard...
Codecov Releases New Detections for Supply Chain Compromise
CISA is aware of a compromise of the Codecov software supply chain in which a malicious threat actor made unauthorized alterations of Codecov’s Bash Uploader script, beginning on January 31, 2021. Upon discovering the compromise on April 1, 2021, Codecov immediately remediated the affected script...
Backdoor Found in Codecov Bash Uploader
Developers have discovered a backdoor in the Codecov bash uploader. Its been there for four months. We dont know who put it there. Codecov said the breach allowed the attackers to export information stored in its users continuous integration CI environments. This information was then sent to a...
CodeCov supply-chain compromise likened to SolarWinds attack
CodeCov, a company that creates software auditing tools for developers, was recently breached the company says it was breached on April 1, and reported it on the April 15. According to investigators, this incident, in turn, gave attackers access to an unknown number of CodeCov’s clients networks...
Codecov Discloses Supply Chain Compromise
The following blog was co-authored by Curt Barnard and Caitlin Condon. On April 15, 2021, code coverage and testing company Codecov announced a supply chain compromise in which a malicious party gained access to their Bash Uploader script and modified it without authorization, enabling the...
OS Command Injection
codecov is vulnerable to OS command injection. The vulnerability exists as it was possibly to use backticks "" to bypass the sanitizer. This issue is related to CVE-2020-7597...
CVE-2020-15123
In codecov npm package before version 3.7.1 the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE CVE-2020-7597 for GHSA-5q88-cjfq-g2mh was...