<p>Upgrade <code>aws-lambda</code> to version 1.0.5 or higher.</p>

Command Injection Affecting aws-lambda package, versions <1.0.5

Snyk CVSS

Attack Complexity Low

Confidentiality High

Threat Intelligence

Exploit Maturity Proof of concept

EPSS 0.22% (61^st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-AWSLAMBDA-540839
published 7 Jan 2020
disclosed 7 Jan 2020
credit JHU System Security Lab

Report a new vulnerability Found a mistake?

Introduced: 7 Jan 2020

CVE-2019-10777 Open this link in a new tab CWE-78 Open this link in a new tab First added by Snyk

How to fix?

Upgrade aws-lambda to version 1.0.5 or higher.

Overview

aws-lambda is a command line tool deploy code to AWS Lambda.

Affected versions of this package are vulnerable to Command Injection. The config.FunctioName is used to construct the argument used within the exec function without any sanitization. It is possible for a user to inject arbitrary commands to the zipCmd used within config.FunctionName located in the file lib/main.js (line 78).

PoC by JHU System Security Lab

// aws-lambda-config.lambda
{"FunctionName": "& touch Song &", 
"PATH": "./"}

var root = require("aws-lambda");
root.deploy("aws-lambda-config");

References

GitHub Commit