Main Vulnerability Database Vulnerabilities #VU26646

OS Command Injection in codecov-python - #VU26646

Published: April 7, 2020

Vulnerability identifier: #VU26646

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Codecov

Affected software:
codecov-python

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to "shell" being defined as "TRUE" in the command line. A remote authenticated attacker can execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

Sources

https://snyk.io/vuln/SNYK-PYTHON-CODECOV-564342
https://github.com/codecov/codecov-python/commit/f2c93c7893847e50639416c1bc2e38cb375825d8
https://github.com/codecov/codecov-python/pull/234

OS Command Injection in codecov-python - #VU26646

Detailed vulnerability description

Remediation

Sources

Please verify you're human