@zowe/imperative is vulnerable to Command Injection. The vulnerability exists due to the insecure usage of execSync
, which allows an already-privileged local attackers to inject and execute malicious shell commands through the plugin install/update commands or through maliciously formed environment variables.
github.com/advisories/GHSA-6q8m-42qq-64r7
github.com/zowe/imperative/
github.com/zowe/imperative/commit/27df7bab8f78e219cf0e07da1227bd3d9fe06476
github.com/zowe/imperative/commit/cc0d3fb4e2441f84cc89619e199b05eec7226b37
github.com/zowe/imperative/commits/v4.18.10
github.com/zowe/imperative/commits/v5.7.1
github.com/zowe/imperative/pull/900
github.com/zowe/imperative/pull/902