Main Vulnerability Database Vulnerabilities #VU26646

#VU26646 OS Command Injection in codecov-python

Published: April 7, 2020

Vulnerability identifier: #VU26646

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
codecov-python

Software vendor:
Codecov

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to "shell" being defined as "TRUE" in the command line. A remote authenticated attacker can execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://snyk.io/vuln/SNYK-PYTHON-CODECOV-564342
https://github.com/codecov/codecov-python/commit/f2c93c7893847e50639416c1bc2e38cb375825d8
https://github.com/codecov/codecov-python/pull/234