GHSA-cgqv-x5cx-xvqh

Suggest an improvement
Source
https://github.com/advisories/GHSA-cgqv-x5cx-xvqh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-cgqv-x5cx-xvqh/GHSA-cgqv-x5cx-xvqh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cgqv-x5cx-xvqh
Aliases
  • CVE-2016-10546
Published
2018-07-26T16:22:08Z
Modified
2023-11-08T03:58:11.764985Z
Summary
Arbitrary Code Injection in pouchdb
Details

Affected versions of pouchdb do not properly sandbox the code execution engine which executes the map/reduce functions for temporary views and design documents. Under certain circumstances, an attacker could uses this to run arbitrary code on the server.

Recommendation

Update to version 6.0.5 or later.

Database specific 
{
    "cwe_ids": [
        "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:31:41Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
}
References

Affected packages

npm / pouchdb

Package

Name
pouchdb
View open source insights on deps.dev
Purl
pkg:npm/pouchdb

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-cgqv-x5cx-xvqh/GHSA-cgqv-x5cx-xvqh.json"