CVE-2020-7735 : The package ng-packagr before 10.1.1 are vulnerable to Command Injection via the

The package ng-packagr before 10.1.1 are vulnerable to Command Injection via the styleIncludePaths option.

Published 2020-09-25 12:15:15

Updated 2020-09-30 14:37:17

Source Snyk

View at NVD, CVE.org

Products affected by CVE-2020-7735

Ng-packagr Project » Ng-packagr
Versions before (<) 10.1.1
cpe:2.3:a:ng-packagr_project:ng-packagr:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

2.71%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 85 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
6.6	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	0.7	5.9	Snyk
Attack Vector: Network Attack Complexity: High Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

https://github.com/ng-packagr/ng-packagr/commit/bda0fff3443301f252930a73fdc8fb9502de596d

fix: replace execFile with execFileSync to fix a potential malicious … · ng-packagr/ng-packagr@bda0fff · GitHub
Patch;Third Party Advisory
https://snyk.io/vuln/SNYK-JS-NGPACKAGR-1012427

Command Injection in ng-packagr | Snyk
Third Party Advisory

Jump to