Lucene search
Veracode Vulnerability DatabaseVERACODE:39510HistoryMar 04, 2023 - 7:36 a.m.
Command Injection
2023-03-0407:36:35
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
8
command injection
vulnerability
local attackers
shell commands
environment variables
software
EPSS
0
Percentile
13.3%
@zowe/imperative is vulnerable to Command Injection. The vulnerability exists due to the insecure usage of execSync, which allows an already-privileged local attackers to inject and execute malicious shell commands through the plugin install/update commands or through maliciously formed environment variables.
References
github.com/advisories/GHSA-6q8m-42qq-64r7
github.com/zowe/imperative/
github.com/zowe/imperative/commit/27df7bab8f78e219cf0e07da1227bd3d9fe06476
github.com/zowe/imperative/commit/cc0d3fb4e2441f84cc89619e199b05eec7226b37
github.com/zowe/imperative/commits/v4.18.10
github.com/zowe/imperative/commits/v5.7.1
github.com/zowe/imperative/pull/900
github.com/zowe/imperative/pull/902
Related
cvelist
cvelist
CVE-2021-4326 Imperative Local Command Injection allows Activity Masking
2023-02-22 15:21:06
nvd
nvd
CVE-2021-4326
2023-03-01 08:15:10
prion
prion
Design/Logic Flaw
2023-03-01 08:15:00
github
github
Imperative CLI vulnerable to Command Injection
2023-03-01 09:30:29
cve
cve
CVE-2021-4326
2023-03-01 08:15:10
osv
osv
Imperative CLI vulnerable to Command Injection
2023-03-01 09:30:29
CVE-2021-4326
2023-03-01 08:15:10