Main Vulnerability Database Vulnerabilities #VU25737

#VU25737 OS Command Injection in codecov-python - CVE-2019-10800

Published: March 3, 2020

Vulnerability identifier: #VU25737

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2019-10800

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
codecov-python

Software vendor:
Codecov

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper sanitization of "gcov" arguments before being provided to the "popen" method. A remote authenticated attacker can execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://snyk.io/vuln/SNYK-PYTHON-CODECOV-552149
https://github.com/codecov/codecov-python/commit/2a80aa434f74feb31242b6f213b75ce63ae97902

#VU25737 OS Command Injection in codecov-python - CVE-2019-10800

Description

Remediation

External links

Please verify you're human