CVE-2020-7677 — OS Command Injection in Project Thenify

CWE-78 — OS Command Injection7 documents6 sources

Severity

9.8CRITICALNVD

EPSS

1.1%

top 22.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Thenify Project Thenify Debian Node-thenify Debian Linux +1 more

Timeline

PublishedJul 25

Latest updateApr 13

Description

This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/node-thenify< node-thenify 3.3.1-1 (bookworm)

▶CVEListV5thenify_project/thenifyunspecified — 3.3.1

▶NVDthenify_project/thenify< 3.3.1

▶npmthenify_project/thenify< 3.3.1

Also affects: Debian Linux 10.0, Fedora 36, 37

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2020-7677: This affects the package thenify before 3↗2022-07-25

▶

GHSA

thenify before 3.3.1 made use of unsafe calls to `eval`.↗2022-07-18

▶

OSV

thenify before 3.3.1 made use of unsafe calls to `eval`.↗2022-07-18

▶

📋Vendor Advisories

Ubuntu

thenify vulnerability↗2023-04-13

▶

Red Hat

thenify: Arbitrary Code Execution in thenify↗2022-07-25

▶

Debian

CVE-2020-7677: node-thenify - This affects the package thenify before 3.3.1. The name argument provided to the...↗2020

▶