CVE-2020-7677

This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.

CVSS v3.0 9.8 CRITICAL

9.8^/10

CVSS v3.0 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690	Exploit Third Party Advisory
https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a	Patch
https://github.com/thenables/thenify/blob/master/index.js%23L17	Broken Link
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317	Exploit Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/09/msg00039.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/	Mailing List Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:thenify_project:thenify:*:*:*:*:*:node.js:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:36:::::::*
	cpe:2.3:o:fedoraproject:fedora:37:::::::*

Information

Published : 2022-07-25 07:15

Updated : 2023-02-23 08:21

NVD link : CVE-2020-7677

Mitre link : CVE-2020-7677

JSON object : View

CWE

NVD-CWE-noinfo

Advertisement

Products Affected

thenify_project

thenify

debian

debian_linux

fedoraproject

fedora

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690", "name": "N/A", "tags": ["Exploit", "Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a", "name": "N/A", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "https://github.com/thenables/thenify/blob/master/index.js%23L17", "name": "N/A", "tags": ["Broken Link"], "refsource": "CONFIRM"}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317", "name": "N/A", "tags": ["Exploit", "Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00039.html", "name": "[debian-lts-announce] 20220930 [SECURITY] [DLA 3128-1] node-thenify security update", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/", "name": "FEDORA-2023-ce8943223c", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/", "name": "FEDORA-2023-18fd476362", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-7677", "ASSIGNER": "report@snyk.io"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}}, "publishedDate": "2022-07-25T14:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:thenify_project:thenify:*:*:*:*:*:node.js:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "3.3.1"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-02-23T16:21Z"}