9.8

CVE-2020-7677

Exploit

Arbitrary Code Execution

This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Thenify ProjectThenify SwPlatformnode.js Version < 3.3.1
DebianDebian Linux Version10.0
FedoraprojectFedora Version36
FedoraprojectFedora Version37
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.64% 0.734
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
report@snyk.io 8.6 3.9 4.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/
https://github.com/thenables/thenify/blob/master/index.js%23L17
Broken Link
https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a
Patch
https://lists.debian.org/debian-lts-announce/2022/09/msg00039.html
Third Party Advisory
Mailing List
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317
Third Party Advisory
Exploit
https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690
Third Party Advisory
Exploit