GHSA-29xr-v42j-r956
Suggest an improvement- Source
- https://github.com/advisories/GHSA-29xr-v42j-r956
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-29xr-v42j-r956/GHSA-29xr-v42j-r956.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-29xr-v42j-r956
- Aliases
- Published
- 2022-07-18T19:15:29Z
- Modified
- 2024-02-17T05:21:12.772045Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- thenify before 3.3.1 made use of unsafe calls to `eval`.
- Details
-
Versions of thenify prior to 3.3.1 made use of unsafe calls to
eval. Untrusted user input could thus lead to arbitrary code execution on the host. The patch in version 3.3.1 removes calls toeval. - Database specific
{ "nvd_published_at": "2022-07-25T14:15:00Z", "cwe_ids": [ "CWE-78" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2022-07-18T19:15:29Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-7677
- https://github.com/thenables/thenify/issues/29
- https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a
- https://github.com/thenables/thenify
- https://github.com/thenables/thenify/blob/master/index.js%23L17
- https://lists.debian.org/debian-lts-announce/2022/09/msg00039.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317
- https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690
Affected packages
npm / thenify
Package
- Name
- thenify
- View open source insights on deps.dev
- Purl
- pkg:npm/thenify
Maven / org.webjars.npm:thenify
Package
- Name
- org.webjars.npm:thenify
- View open source insights on deps.dev
- Purl
- pkg:maven/org.webjars.npm/thenify