CVE Vulnerability

CVE-2020-7677

This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690 Exploit Third Party Advisory
https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a Patch
https://github.com/thenables/thenify/blob/master/index.js%23L17 Broken Link
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317 Exploit Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/09/msg00039.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/ Mailing List Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:thenify_project:thenify:*:*:*:*:*:node.js:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Information

Published : 2022-07-25 02:15

Updated : 2023-02-23 04:21

NVD link : CVE-2020-7677

Mitre link : CVE-2020-7677

Products Affected
No products.
CWE
NVD-CWE-noinfo