GHSA-5fjj-cfh2-ghc5

Source

https://github.com/advisories/GHSA-5fjj-cfh2-ghc5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-5fjj-cfh2-ghc5/GHSA-5fjj-cfh2-ghc5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5fjj-cfh2-ghc5

Aliases

CVE-2020-8128

Published

2021-04-13T15:25:24Z

Modified

2023-11-08T04:04:13.713125Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Server-Side Request Forgery and Inclusion of Functionality from Untrusted Control Sphere in jsreport

Details

An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code.

Database specific

{
    "cwe_ids": [
        "CWE-829",
        "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-06T22:34:40Z",
    "nvd_published_at": "2020-02-14T22:15:00Z",
    "severity": "HIGH"
}

References

Affected packages

npm / jsreport

Package

Name: jsreport; View open source insights on deps.dev
Purl: pkg:npm/jsreport

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.6.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-5fjj-cfh2-ghc5/GHSA-5fjj-cfh2-ghc5.json"

last_known_affected_version_range

"<= 2.5.0"