SB2020052008 - OS Command Injection in npm-programmatic

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020052008

SB2020052008 - OS Command Injection in npm-programmatic

Published: May 20, 2020 Updated: May 20, 2020

Security Bulletin ID SB2020052008
Severity
Medium
Patch available
NO
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 security vulnerability.


1) OS Command Injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to application does not properly sanitize input rules and passes it directly to an exec call on the install, uninstall and list functions. A remote attacker can supply a package with specially crafted package name to the application and execute arbitrary code in the system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References