GHSA-qfxv-qqvg-24pg

Source

https://github.com/advisories/GHSA-qfxv-qqvg-24pg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-qfxv-qqvg-24pg/GHSA-qfxv-qqvg-24pg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qfxv-qqvg-24pg

Aliases

CVE-2019-10788

Published

2021-04-13T15:17:36Z

Modified

2025-01-14T07:14:37.085556Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

OS Command Injection in im-metadata

Details

im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the "exec" argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the "exec" function.

Database specific

{
    "github_reviewed_at": "2021-03-29T22:57:19Z",
    "nvd_published_at": "2020-02-04T21:15:00Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-78"
    ],
    "github_reviewed": true
}

References

Affected packages

npm / im-metadata

Package

Name: im-metadata; View open source insights on deps.dev
Purl: pkg:npm/im-metadata

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

3.0.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-qfxv-qqvg-24pg/GHSA-qfxv-qqvg-24pg.json"