CVE-2020-7712 — OS Command Injection in Json

CWE-78 — OS Command Injection8 documents5 sources

Severity

7.2HIGHNVD

EPSS

0.5%

top 32.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Joyent Json Oracle Timesten In-memory Database Oracle Commerce Guided Search +2 more

Timeline

PublishedAug 30

Latest updateApr 15

Description

This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages7 packages

▶CVEListV5joyent/jsonunspecified — 10.0.0

▶NVDjoyent/json< 10.0.0

▶npmjoyent/json< 10.0.0

▶NVDoracle/timesten_in-memory_database< 21.1.1.1.0

▶NVDoracle/commerce_guided_search11.3.2

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

trentm/json vulnerable to command injection↗2021-05-06

▶

OSV

trentm/json vulnerable to command injection↗2021-05-06

▶

CVEList

Command Injection↗2020-08-30

▶

📋Vendor Advisories

Oracle

Oracle Oracle Siebel CRM Risk Matrix: Loging (Apache ZooKeeper) — CVE-2020-7712↗2023-04-15

▶

Oracle

Oracle Oracle Commerce Risk Matrix: Framework, Experience Manager (Apache ZooKeeper) — CVE-2020-7712↗2022-07-15

▶

Oracle

Oracle Oracle TimesTen In-Memory Database Risk Matrix: TimesTen Infrastructure (Apache ZooKeeper) — CVE-2020-7712↗2022-01-15

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Reports (Apache ZooKeeper) — CVE-2020-7712↗2021-07-15

▶