Command Injection

Affecting gerapy package, versions [,0.9.3)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

gerapy is a Distributed Crawler Management Framework Based on Scrapy, Scrapyd, Scrapyd-Client, Scrapyd-API, Django and Vue.js.

Affected versions of this package are vulnerable to Command Injection. The input being passed to Popen, via the project_configure endpoint, isn’t being sanitized.

Remediation

Upgrade gerapy to version 0.9.3 or higher.

References

CVSS Score

8.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Snyk Security Team
CVE
CVE-2020-7698
CWE
CWE-79
Snyk ID
SNYK-PYTHON-GERAPY-572470
Disclosed
17 Jun, 2020
Published
07 Jul, 2020