CVE-2020-36642

EPSS 3.69%
Veröffentlicht 06.01.2023 11:15:09
Zuletzt bearbeitet 21.11.2024 05:29:59
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability was found in trampgeek jobe up to 1.6.x and classified as critical. This issue affects the function run_in_sandbox of the file application/libraries/LanguageTask.php. The manipulation leads to command injection. Upgrading to version 1.7.0 is able to address this issue. The identifier of the patch is 8f43daf50c943b98eaf0c542da901a4a16e85b02. It is recommended to upgrade the affected component. The identifier VDB-217553 was assigned to this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jobe Project ≫ Jobe Version < 1.7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	3.69%	0.876

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cna@vuldb.com	5.5	2.1	3.4	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
cna@vuldb.com	5.2	5.1	6.4	AV:A/AC:L/Au:S/C:P/I:P/A:P

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://github.com/trampgeek/jobe/commit/8f43daf50c943b98eaf0c542da901a4a16e85b02

Patch

https://github.com/trampgeek/jobe/issues/39

Third Party Advisory

Issue Tracking

https://github.com/trampgeek/jobe/releases/tag/v1.7.0

Release Notes

https://vuldb.com/?ctiid.217553

Third Party Advisory

Permissions Required

https://vuldb.com/?id.217553

Third Party Advisory