pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2020-03-15T21:28:34

Updated: 2024-08-04T09:33:19.973Z

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7604

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-03-15T22:15:14.740

Modified: 2024-11-21T05:37:27.573

Link: CVE-2020-7604

cve-icon Redhat

No data.