CVE-2020-7596
published 2020-01-25CVE-2020-7596: Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.86%
76.6th percentile
Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codecov | codecov | < 3.6.5 | 3.6.5 |
| codecov | codecov | >= 0 < 3.6.5 | 3.6.5 |
| codecov | codecov | >= 0 < 3.6.2 | 3.6.2 |
| codecov | nodejs_uploader | < 3.6.2 | 3.6.2 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
ghsa8.8HIGH
osv8.8HIGH
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov
ghsa·2022-05-24
CVE-2020-7596 [HIGH] CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov
Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov
Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.
OSV
Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov
osv·2022-05-24
CVE-2020-7596 [HIGH] Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov
Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov
Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.
GHSA
codecov NPM module allows remote attackers to execute arbitrary commands
ghsa·2020-02-19·CVSS 8.8
CVE-2020-7597 [HIGH] CWE-78 codecov NPM module allows remote attackers to execute arbitrary commands
codecov NPM module allows remote attackers to execute arbitrary commands
codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.
OSV
codecov NPM module allows remote attackers to execute arbitrary commands
osv·2020-02-19·CVSS 8.8
CVE-2020-7597 [HIGH] codecov NPM module allows remote attackers to execute arbitrary commands
codecov NPM module allows remote attackers to execute arbitrary commands
codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.
Red Hat
networkmanager: UDP encapsulation protocol excessive trust
vendor_redhat·2025-01-14·CVSS 5.3
CVE-2024-7596 [MEDIUM] CWE-348 networkmanager: UDP encapsulation protocol excessive trust
networkmanager: UDP encapsulation protocol excessive trust
Proposed Generic UDP Encapsulation (GUE) (IETF Draft) do not validate or verify the source of a network packet allowing an attacker to spoof and route arbitrary traffic via an exposed network interface that can lead to spoofing, access control bypass, and other unexpected network behaviors.
This can be considered similar to CVE-2020-10136.
An insecure configuration flaw was found in the Generic UDP Encapsulation Protocol. When configured to not require authentication or filtering, this issue could allow a remote unauthenticated attacker to spoof packets or bypass access controls.
Statement: This vulnerability is rated as Low impact as it requires a known higher risk configuration. Multiple layers of defaults (packet forwarding a
No detection rules found.
No public exploits indexed.
2020-01-25
Published