CVE-2020-7677: Arbitrary Code Execution
First published: Mon Jul 25 2022(Updated: )
This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.
Credit: report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| thenify node.js | <3.3.1 | |
| Debian Linux | =10.0 | |
| Red Hat Fedora | =36 | |
| Red Hat Fedora | =37 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/thenables/thenify/blob/master/index.js%23L17
- https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a
- https://lists.debian.org/debian-lts-announce/2022/09/msg00039.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317
- https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/
Frequently Asked Questions
What is the severity of CVE-2020-7677?
CVE-2020-7677 is classified as a high-severity vulnerability due to potential arbitrary code execution.
How do I fix CVE-2020-7677?
To fix CVE-2020-7677, upgrade to thenify version 3.3.1 or later.
Which software is affected by CVE-2020-7677?
CVE-2020-7677 affects versions of thenify before 3.3.1 across various platforms like Debian and Fedora.
What kind of vulnerability is CVE-2020-7677?
CVE-2020-7677 is a code injection vulnerability due to the lack of input sanitization.
Can CVE-2020-7677 lead to data breaches?
Yes, CVE-2020-7677 can lead to data breaches by allowing attackers to execute arbitrary code.
- agent/type
- agent/author
- agent/remedy
- agent/title
- agent/references
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/thenify project
- canonical/thenify node.js
- vendor/debian
- canonical/debian linux
- version/debian linux/10.0
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/36
- version/red hat fedora/37