Bug 2127348 (CVE-2020-7677)
| Summary: | CVE-2020-7677 thenify: Arbitrary Code Execution in thenify | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aileenc, balejosg, chazlett, epel-packagers-sig, eric.wittmann, janstey, jburrell, jochrist, jshaughn, jwendell, mrunge, ngompa13, nodejs-sig, pantinor, peholase, rcernich, sgallagh, thrcka, twalsh, vkumar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | thenify 3.3.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the thenify package. Users can control the name argument provided to the package without any sanitization, and this is provided to the eval function without any sanitization, which leads to arbitrary code execution.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2127350, 2127349, 2127351, 2212563 | ||
| Bug Blocks: | 2111126 | ||
|
Description
Avinash Hanwate
2022-09-16 05:03:25 UTC
Created nodejs tracking bugs for this issue: Affects: fedora-all [bug 2127349] Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 2127350] Created yarnpkg tracking bugs for this issue: Affects: fedora-all [bug 2127351] |