CVE-2020-7677
Published: 25 July 2022
This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.
Priority
Status
Package | Release | Status |
---|---|---|
node-thenify Launchpad, Ubuntu, Debian |
bionic |
Released
(3.3.0-1+deb10u1build0.18.04.1)
|
focal |
Released
(3.3.0-1+deb10u1build0.20.04.1)
|
|
jammy |
Not vulnerable
(3.3.1-2)
|
|
kinetic |
Not vulnerable
|
|
lunar |
Not vulnerable
|
|
trusty |
Does not exist
|
|
upstream |
Released
(3.3.1-1)
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690
- https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a
- https://github.com/thenables/thenify/blob/master/index.js%23L17
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317
- https://ubuntu.com/security/notices/USN-6016-1
- https://www.cve.org/CVERecord?id=CVE-2020-7677
- NVD
- Launchpad
- Debian