pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command.
Metrics
Affected Vendors & Products
References
Link | Providers |
---|---|
https://snyk.io/vuln/SNYK-JS-PULVERIZR-560122 |
History
No history.
MITRE
Status: PUBLISHED
Assigner: snyk
Published: 2020-03-15T21:28:34
Updated: 2024-08-04T09:33:19.973Z
Reserved: 2020-01-21T00:00:00
Link: CVE-2020-7604
Vulnrichment
No data.
NVD
Status : Modified
Published: 2020-03-15T22:15:14.740
Modified: 2024-11-21T05:37:27.573
Link: CVE-2020-7604
Redhat
No data.