Main Vulnerability Database SB2020090218

SB2020090218 - OS Command Injection in bestzip package for NPM

Published: September 2, 2020 Updated: September 15, 2020

Security Bulletin ID SB2020090218

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) OS Command Injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to sanitize input rules and passes it directly to an exec call on the zip function . attackers to execute arbitrary code in the system as long as the values of destination is user-controlled. This only affects users with a native zip command available. The following examples demonstrate the issue from the CLI and also programatically:

bestzip test.zip 'sourcefile; mkdir folder' zip({ source: 'sourcefile', destination: './test.zip; mkdir folder' })

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

https://www.npmjs.com/advisories/1554