Arbitrary Code Execution

Affecting @prisma/sdk package, versions <2.20.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Arbitrary Code Execution via the getPackedPackage function. This function is used for tests & building the CLI.

Remediation

Upgrade @prisma/sdk to version 2.20.0 or higher.

References

CVSS Score

7.7
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
Credit
Erik Krogh Kristensen
CVE
CVE-2021-21414
CWE
CWE-77
Snyk ID
SNYK-JS-PRISMASDK-1243749
Disclosed
06 Apr, 2021
Published
07 Apr, 2021