GHSA-cwcp-6c48-fm7m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cwcp-6c48-fm7m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-cwcp-6c48-fm7m/GHSA-cwcp-6c48-fm7m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-cwcp-6c48-fm7m
- Aliases
- Published
- 2020-09-01T16:39:38Z
- Modified
- 2023-11-14T21:08:18Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Unsafe eval() in summit allows arbitrary code execution
- Details
-
Affected versions of
summitallow attackers to execute arbitrary commands via collection names when using thePouchDBdriver.Recommendation
No direct patch is available at this time.
Currently, the best option to mitigate the issue is to avoid using the
PouchDBdriver, as the package author has abandoned this feature entirely. - Database specific
{ "github_reviewed_at": "2020-08-31T18:18:59Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-94" ], "nvd_published_at": "2018-06-04T19:29:01Z" }- References
Affected packages
npm / summit
Package
- Name
- summit
- View open source insights on deps.dev
- Purl
- pkg:npm/summit