Search
Find a vulnerability
Search criteria
2 vulnerabilities by pulverizr_project
CVE-2020-7604 (GCVE-0-2020-7604)
Vulnerability from nvd – Published: 2020-03-15 21:28 – Updated: 2024-08-04 09:33
VLAI
Summary
pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command.
Severity
No CVSS data available.
CWE
- Command Injection
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-PULVERIZR-560122 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:33:19.973Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-PULVERIZR-560122"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "pulverizr",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions including 0.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pulverizr through 0.7.0 allows execution of arbitrary commands. Within \"lib/job.js\", the variable \"filename\" can be controlled by the attacker. This function uses the variable \"filename\" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Command Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-15T21:28:34.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-PULVERIZR-560122"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2020-7604",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "pulverizr",
"version": {
"version_data": [
{
"version_value": "All versions including 0.7.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "pulverizr through 0.7.0 allows execution of arbitrary commands. Within \"lib/job.js\", the variable \"filename\" can be controlled by the attacker. This function uses the variable \"filename\" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-PULVERIZR-560122",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-PULVERIZR-560122"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-7604",
"datePublished": "2020-03-15T21:28:34.000Z",
"dateReserved": "2020-01-21T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:33:19.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7604 (GCVE-0-2020-7604)
Vulnerability from cvelistv5 – Published: 2020-03-15 21:28 – Updated: 2024-08-04 09:33
VLAI
Summary
pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command.
Severity
No CVSS data available.
CWE
- Command Injection
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-PULVERIZR-560122 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:33:19.973Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-PULVERIZR-560122"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "pulverizr",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions including 0.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pulverizr through 0.7.0 allows execution of arbitrary commands. Within \"lib/job.js\", the variable \"filename\" can be controlled by the attacker. This function uses the variable \"filename\" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Command Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-15T21:28:34.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-PULVERIZR-560122"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2020-7604",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "pulverizr",
"version": {
"version_data": [
{
"version_value": "All versions including 0.7.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "pulverizr through 0.7.0 allows execution of arbitrary commands. Within \"lib/job.js\", the variable \"filename\" can be controlled by the attacker. This function uses the variable \"filename\" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-PULVERIZR-560122",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-PULVERIZR-560122"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-7604",
"datePublished": "2020-03-15T21:28:34.000Z",
"dateReserved": "2020-01-21T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:33:19.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}