GHSA-w8h4-vw8f-rvvj

Suggest an improvement
Source
https://github.com/advisories/GHSA-w8h4-vw8f-rvvj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-w8h4-vw8f-rvvj/GHSA-w8h4-vw8f-rvvj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w8h4-vw8f-rvvj
Aliases
Published
2021-04-13T15:30:09Z
Modified
2023-11-08T04:05:20.594750Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Improper Control of Dynamically-Managed Code Resources in config-shield
Details

scripts/cli.js in the GoDaddy node-config-shield (aka Config Shield) package before 0.2.2 for Node.js calls eval when processing a set command. NOTE: the vendor reportedly states that this is not a vulnerability. The set command was not intended for use with untrusted data.

Database specific
{
    "nvd_published_at": "2021-01-27T20:15:00Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2021-04-05T22:44:52Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-913"
    ]
}
References

Affected packages

npm / config-shield

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.2.3