GHSA-9jm3-5835-537m

Source

https://github.com/advisories/GHSA-9jm3-5835-537m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-9jm3-5835-537m/GHSA-9jm3-5835-537m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9jm3-5835-537m

Aliases

CVE-2018-16462

Published

2018-11-01T14:48:50Z

Modified

2023-11-08T03:59:59.577081Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Command Injection in apex-publish-static-files

Details

Versions of apex-publish-static-files before 2.0.1 are vulnerable to command injection. This is exploitable if user input is passed into the connectString option in the publish method.

Recommendation

Update to version 2.0.1 or later.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-77"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:28:57Z"
}

References

Affected packages

npm / apex-publish-static-files

Package

Name: apex-publish-static-files; View open source insights on deps.dev
Purl: pkg:npm/apex-publish-static-files

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.1