GHSA-fmf5-j5j9-99pp

Source

https://github.com/advisories/GHSA-fmf5-j5j9-99pp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-fmf5-j5j9-99pp/GHSA-fmf5-j5j9-99pp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fmf5-j5j9-99pp

Aliases

CVE-2020-7604

Published

2021-05-07T16:20:44Z

Modified

2026-03-13T21:57:10.616419Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

OS Command Injection in pulverizr

Details

pulverizr through 0.7.0 allows execution of arbitrary commands. Within lib/job.js, the variable filename can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command.

Database specific

{
    "nvd_published_at": "2020-03-15T22:15:00Z",
    "severity": "CRITICAL",
    "github_reviewed_at": "2021-05-04T19:02:09Z",
    "cwe_ids": [
        "CWE-78"
    ],
    "github_reviewed": true
}

References

Affected packages

npm / pulverizr

Package

Name: pulverizr; View open source insights on deps.dev
Purl: pkg:npm/pulverizr

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.7.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-fmf5-j5j9-99pp/GHSA-fmf5-j5j9-99pp.json"