Bug 1906853 (CVE-2020-7789) - CVE-2020-7789 nodejs-node-notifier: command injection due to the options params not being sanitised when being passed an array
Summary: CVE-2020-7789 nodejs-node-notifier: command injection due to the options para...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-7789
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1907260 1907856 1907857 1907858 1907859 1907860 1907861 1907886 1907887 1935677
Blocks: 1906855
TreeView+ depends on / blocked
 
Reported: 2020-12-11 14:53 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-08-30 23:49 UTC (History)
44 users (show)

See Also:
Fixed In Version: nodejs-node-notifier 9.0.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in node-notifier. An attacker can run arbitrary commands on Linux machines due to the options params not being sanitized when being passed an array.
Clone Of:
Environment:
Last Closed: 2021-03-09 21:05:46 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0781 0 None None None 2021-03-09 15:14:50 UTC

Description Guilherme de Almeida Suckevicz 2020-12-11 14:53:50 UTC 
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

References:
https://snyk.io/vuln/SNYK-JS-NODENOTIFIER-1035794
https://github.com/mikaelbr/node-notifier/blob/master/lib/utils.js#23L303
Comment 1 Doran Moppert 2020-12-14 02:08:39 UTC 
Introduced in 97301ed8 which was included in release 5.0.1.  Prior versions should be unaffected (but check the escapeFn() definition - it changed a few times prior).
Comment 5 Przemyslaw Roguski 2020-12-14 14:21:35 UTC 
Upstream commit:
https://github.com/mikaelbr/node-notifier/commit/2d3927b200a0fd1721e8b8ad59f84f383d3f0e0a
Comment 7 Przemyslaw Roguski 2020-12-14 14:21:39 UTC 
External References:

https://snyk.io/vuln/SNYK-JS-NODENOTIFIER-1035794
Comment 10 lnacshon 2020-12-15 11:34:10 UTC 
Upstream fix for our services using notifier https://github.com/mikaelbr/node-notifier/commit/2d3927b200a0fd1721e8b8ad59f84f383d3f0e0a
Comment 18 Przemyslaw Roguski 2020-12-16 12:12:24 UTC 
Statement:

Whilst the OpenShift ServiceMesh (OSSM) and OpenShift Container Platform (OCP) containers include  the vulnerable nodejs-node-notifier library, the successful exploitation requires additional packages on the node (like desktop notification library) which are not part of the OpenShift ServiceMesh or OpenShift Container Platform products. Additionally access to the vulnerable nodejs-node-notifier library is restricted to authenticated users only (OpenShift OAuth authentication). Therefore these OSSM and OCP components have been marked as wont-fix and may be addressed in a future updates.
OpenShift ServiceMesh (OSSM) 1.1 is out of support scope for Moderate and Low impact vulnerabilities, hence is marked Out Of Support Scope.

The nodejs-notifier library was present in Red Hat Advanced Cluster Management for Kubernetes version 2.0, but is no longer used since version 2.1. Customers are advised to upgrade to the latest version which is fully supported, does not include this vulnerability.
Comment 21 errata-xmlrpc 2021-03-09 15:14:40 UTC 
This issue has been addressed in the following products:

  Red Hat Automation Hub 4.2 for RHEL 7
  Red Hat Automation Hub 4.2 for RHEL 8

Via RHSA-2021:0781 https://access.redhat.com/errata/RHSA-2021:0781
Comment 22 Product Security DevOps Team 2021-03-09 21:05:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7789
Note You need to log in before you can comment on or make changes to this bug.