Command Injection

Affecting org.webjars.npm:node-notifier artifact, versions [,9.0.0)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.webjars.npm:node-notifier is an A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Affected versions of this package are vulnerable to Command Injection. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Remediation

Upgrade org.webjars.npm:node-notifier to version 9.0.0 or higher.

References

CVSS Score

5.6
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Alessio Della Libera (d3lla)
CVE
CVE-2020-7789
CWE
CWE-78
Snyk ID
SNYK-JAVA-ORGWEBJARSNPM-1050371
Disclosed
04 Nov, 2020
Published
13 Dec, 2020