This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array. References: https://snyk.io/vuln/SNYK-JS-NODENOTIFIER-1035794 https://github.com/mikaelbr/node-notifier/blob/master/lib/utils.js#23L303
Introduced in 97301ed8 which was included in release 5.0.1. Prior versions should be unaffected (but check the escapeFn() definition - it changed a few times prior).
Upstream commit: https://github.com/mikaelbr/node-notifier/commit/2d3927b200a0fd1721e8b8ad59f84f383d3f0e0a
External References: https://snyk.io/vuln/SNYK-JS-NODENOTIFIER-1035794
Upstream fix for our services using notifier https://github.com/mikaelbr/node-notifier/commit/2d3927b200a0fd1721e8b8ad59f84f383d3f0e0a
Statement: Whilst the OpenShift ServiceMesh (OSSM) and OpenShift Container Platform (OCP) containers include the vulnerable nodejs-node-notifier library, the successful exploitation requires additional packages on the node (like desktop notification library) which are not part of the OpenShift ServiceMesh or OpenShift Container Platform products. Additionally access to the vulnerable nodejs-node-notifier library is restricted to authenticated users only (OpenShift OAuth authentication). Therefore these OSSM and OCP components have been marked as wont-fix and may be addressed in a future updates. OpenShift ServiceMesh (OSSM) 1.1 is out of support scope for Moderate and Low impact vulnerabilities, hence is marked Out Of Support Scope. The nodejs-notifier library was present in Red Hat Advanced Cluster Management for Kubernetes version 2.0, but is no longer used since version 2.1. Customers are advised to upgrade to the latest version which is fully supported, does not include this vulnerability.
This issue has been addressed in the following products: Red Hat Automation Hub 4.2 for RHEL 7 Red Hat Automation Hub 4.2 for RHEL 8 Via RHSA-2021:0781 https://access.redhat.com/errata/RHSA-2021:0781
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7789