Command Injection

Affecting jison package, ALL versions

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

jison is a package that provides an API for creating parsers in JavaScript.

Affected versions of this package are vulnerable to Command Injection. Arbitrary OS shell command execution is possible through a crafted command-line argument.

Remediation

There is no fixed version for jison.

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Local
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RC:C
Credit
0x48piraj
CVE
CVE-2020-8178
CWE
CWE-78
Snyk ID
SNYK-JS-JISON-570539
Disclosed
28 May, 2020
Published
28 May, 2020