GHSA-c9m9-48pw-6mpv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c9m9-48pw-6mpv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-c9m9-48pw-6mpv/GHSA-c9m9-48pw-6mpv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-c9m9-48pw-6mpv
- Aliases
-
- CVE-2020-7633
- Published
- 2021-05-24T22:18:13Z
- Modified
- 2026-03-14T10:41:05.060914Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- apiconnect-cli-plugins vulnerable to OS Command Injection
- Details
-
apiconnect-cli-plugins through 6.0.1 is vulnerable to Command Injection. It allows execution of arbitrary commands via the
pluginUriargument.PoC
var root = require("apiconnect-cli-plugins"); var payload = "& touch Song &"; root.pluginLoader.installPlugin(payload, "");The injection point is located in line 181 of file
lib/plugin-loader.js, in the functioninstallPlugin(pluginUri, registryUri). - Database specific
{ "cwe_ids": [ "CWE-78" ], "github_reviewed": true, "github_reviewed_at": "2023-10-19T18:57:46Z", "nvd_published_at": "2020-04-06T13:15:00Z", "severity": "CRITICAL" }- References
Affected packages
npm / apiconnect-cli-plugins
Package
- Name
- apiconnect-cli-plugins
- View open source insights on deps.dev
- Purl
- pkg:npm/apiconnect-cli-plugins