Do your applications use this vulnerable package?
Test your applications
Overview
aws-lambda is a command line tool deploy code to AWS Lambda.
Affected versions of this package are vulnerable to Command Injection. The config.FunctioName
is used to construct the argument used within the exec
function without any sanitization. It is possible for a user to inject arbitrary commands to the zipCmd
used within config.FunctionName
located in the file lib/main.js
(line 78).
PoC by JHU System Security Lab
// aws-lambda-config.lambda
{"FunctionName": "& touch Song &",
"PATH": "./"}
var root = require("aws-lambda");
root.deploy("aws-lambda-config");
Remediation
Upgrade aws-lambda
to version 1.0.5 or higher.
References
CVSS Score
7.5
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityNone
-
AvailabilityNone
- Credit
- JHU System Security Lab
- CVE
- CVE-2019-10777
- CWE
- CWE-78
- Snyk ID
- SNYK-JS-AWSLAMBDA-540839
- Disclosed
- 07 Jan, 2020
- Published
- 07 Jan, 2020