Bug 2127348 (CVE-2020-7677) - CVE-2020-7677 thenify: Arbitrary Code Execution in thenify
Summary: CVE-2020-7677 thenify: Arbitrary Code Execution in thenify
Keywords:
Status: NEW
Alias: CVE-2020-7677
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2127350 2127349 2127351 2212563
Blocks: 2111126
TreeView+ depends on / blocked
 
Reported: 2022-09-16 05:03 UTC by Avinash Hanwate
Modified: 2024-02-01 09:01 UTC (History)
20 users (show)

Fixed In Version: thenify 3.3.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the thenify package. Users can control the name argument provided to the package without any sanitization, and this is provided to the eval function without any sanitization, which leads to arbitrary code execution.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2022-09-16 05:03:25 UTC 
This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.

https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690
https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a
https://github.com/thenables/thenify/blob/master/index.js%23L17
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317
Comment 1 Avinash Hanwate 2022-09-16 05:03:46 UTC 
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2127349]
Comment 2 Avinash Hanwate 2022-09-16 05:05:41 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2127350]


Created yarnpkg tracking bugs for this issue:

Affects: fedora-all [bug 2127351]
Note You need to log in before you can comment on or make changes to this bug.