{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-7677", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "dateUpdated": "2024-09-16T17:34:23.113Z", "dateReserved": "2020-01-21T00:00:00", "datePublished": "2022-07-25T14:08:22.131877Z"}, "containers": {"cna": {"title": "Arbitrary Code Execution", "datePublic": "2022-07-25T00:00:00", "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-01-21T00:00:00"}, "descriptions": [{"lang": "en", "value": "This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization."}], "affected": [{"vendor": "n/a", "product": "thenify", "versions": [{"version": "unspecified", "lessThan": "3.3.1", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690"}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317"}, {"url": "https://github.com/thenables/thenify/blob/master/index.js%23L17"}, {"url": "https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a"}, {"name": "[debian-lts-announce] 20220930 [SECURITY] [DLA 3128-1] node-thenify security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00039.html"}, {"name": "FEDORA-2023-ce8943223c", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/"}, {"name": "FEDORA-2023-18fd476362", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/"}], "credits": [{"lang": "en", "value": "JHU System Security Lab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:P/RL:U/RC:C", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "remediationLevel": "UNAVAILABLE", "reportConfidence": "CONFIRMED", "baseScore": 8.6, "temporalScore": 8.1, "baseSeverity": "HIGH", "temporalSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Arbitrary Code Execution"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:41:00.475Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690", "tags": ["x_transferred"]}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317", "tags": ["x_transferred"]}, {"url": "https://github.com/thenables/thenify/blob/master/index.js%23L17", "tags": ["x_transferred"]}, {"url": "https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20220930 [SECURITY] [DLA 3128-1] node-thenify security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00039.html"}, {"name": "FEDORA-2023-ce8943223c", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/"}, {"name": "FEDORA-2023-18fd476362", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thenify_project:thenify:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "2074E478-8FB2-42A3-9E63-656E167713CF", "versionEndExcluding": "3.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization."}, {"lang": "es", "value": "Esto afecta al paquete thenify antes de la versi\u00f3n 3.3.1. El argumento del nombre proporcionado al paquete puede ser controlado por los usuarios sin ning\u00fan tipo de sanitizaci\u00f3n, y este es proporcionado a la funci\u00f3n eval sin ninguna sanitizaci\u00f3n"}], "id": "CVE-2020-7677", "lastModified": "2024-11-21T05:37:35.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-25T14:15:10.047", "references": [{"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://github.com/thenables/thenify/blob/master/index.js%23L17"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a"}, {"source": "report@snyk.io", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00039.html"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/"}, {"source": "report@snyk.io", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://github.com/thenables/thenify/blob/master/index.js%23L17"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00039.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "thenify: Arbitrary Code Execution in thenify", "id": "2127348", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2127348"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.", "A flaw was found in the thenify package. Users can control the name argument provided to the package without any sanitization, and this is provided to the eval function without any sanitization, which leads to arbitrary code execution."], "name": "CVE-2020-7677", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-service-mesh/kiali-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "impact": "low", "package_name": "thenify", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "thenify", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "thenify", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2022-07-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-7677\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-7677"], "statement": "Red Hat Service Registry does not directly use the vulnerable code, but has a dependency on the affected package, and as such is affected at Low impact.\nRed Hat Service Mesh (OSSM) is closed as Won't Do as Thenify is hosted only by Cucumber, which is a development dependency for automation testing and is not part of the production container.\nAs an aside, this is already resolved in the upcoming 2.3 version.", "threat_severity": "Important", "upstream_fix": "thenify 3.3.1"}