CVE-2020-7789
Aliases:GHSA-5fw9-fq32-wv5p
Advisory lineage Upstream: 0 Downstream: 1
Downstream
Modified
Published: 11 Dec 2020, 09:55
Last modified:16 Sept 2024, 16:28
Vulnerability Summary
Overall Risk (default)
medium
27/100 CVSS Score
6.8 MEDIUM
v2.0 (nvd)
EPSS Score
0.21% LOW
0% probability +0.01%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
11 Dec 2020, 09:55
Published
Vulnerability first disclosed
16 Sept 2024, 16:28
Last Modified
Vulnerability information updated
Description
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.6CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
- v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS Trends
Current EPSS score: 0.21%• Percentile: 43%
Techniques & Countermeasures
- CWE-78•Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Affected Systems
- node-notifier_project•node-notifier
< 8.0.1
- Npm•node-notifier
< 8.0.1
References (5)
- https://snyk.io/vuln/SNYK-JS-NODENOTIFIER-1035794
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050371
- https://github.com/mikaelbr/node-notifier/blob/master/lib/utils.js%23L303
- https://nvd.nist.gov/vuln/detail/CVE-2020-7789
- https://github.com/mikaelbr/node-notifier/commit/5d62799dab88505a709cd032653b2320c5813fce