Arbitrary Code Execution Affecting script-manager package, versions <0.9.0
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-SCRIPTMANAGER-548308
- published 7 Feb 2020
- disclosed 26 Jul 2019
- credit Vasilii Ermilov
Introduced: 26 Jul 2019
CVE-2020-8129 Open this link in a new tabHow to fix?
Upgrade script-manager
to version 0.9.0 or higher.
Overview
script-manager is a manager for running foreign and potentially dangerous scripts in the cluster.
Affected versions of this package are vulnerable to Arbitrary Code Execution. It runs HTTP server as a child process and sends requests to this server. The server dynamically loads (with help of require()
) some parts of the code, as long as the path to the required code depends on the data from the request (req.body.options.execModulePath
). If an attacker knows the port of the server, it is possible to load code that was not intended to execute.