Bug 1906853 (CVE-2020-7789) - CVE-2020-7789 nodejs-node-notifier: command injection due to the options params not being sanitised when being passed an array
Summary: CVE-2020-7789 nodejs-node-notifier: command injection due to the options para...
Keywords:
Status: NEW
Alias: CVE-2020-7789
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1907856 1907858 1907859 1907860 1907886 1907887 1907260 1907857 1907861
Blocks: 1906855
TreeView+ depends on / blocked
 
Reported: 2020-12-11 14:53 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 18:44 UTC (History)
27 users (show)

See Also:
Fixed In Version: nodejs-node-notifier 9.0.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-12-11 14:53:50 UTC
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

References:
https://snyk.io/vuln/SNYK-JS-NODENOTIFIER-1035794
https://github.com/mikaelbr/node-notifier/blob/master/lib/utils.js#23L303

Comment 1 Doran Moppert 2020-12-14 02:08:39 UTC
Introduced in 97301ed8 which was included in release 5.0.1.  Prior versions should be unaffected (but check the escapeFn() definition - it changed a few times prior).

Comment 7 Przemyslaw Roguski 2020-12-14 14:21:39 UTC
External References:

https://snyk.io/vuln/SNYK-JS-NODENOTIFIER-1035794

Comment 10 lnacshon 2020-12-15 11:34:10 UTC
Upstream fix for our services using notifier https://github.com/mikaelbr/node-notifier/commit/2d3927b200a0fd1721e8b8ad59f84f383d3f0e0a

Comment 18 Przemyslaw Roguski 2020-12-16 12:12:24 UTC
Statement:

Whilst the OpenShift ServiceMesh (OSSM) and OpenShift Container Platform (OCP) containers include  the vulnerable nodejs-node-notifier library, the successful exploitation requires additional packages on the node (like desktop notification library) which are not part of the OpenShift ServiceMesh or OpenShift Container Platform products. Additionally access to the vulnerable nodejs-node-notifier library is restricted to authenticated users only (OpenShift OAuth authentication). Therefore these OSSM and OCP components have been marked as wont-fix and may be addressed in a future updates.
OpenShift ServiceMesh (OSSM) 1.1 is out of support scope for Moderate and Low impact vulnerabilities, hence is marked Out Of Support Scope.

The nodejs-notifier library was present in Red Hat Advanced Cluster Management for Kubernetes version 2.0, but is no longer used since version 2.1. Customers are advised to upgrade to the latest version which is fully supported, does not include this vulnerability.


Note You need to log in before you can comment on or make changes to this bug.