Command Injection Affecting org.webjars.npm:node-notifier package, versions [,5.4.5)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.33% (72nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Command Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGWEBJARSNPM-1050371
  • published13 Dec 2020
  • disclosed4 Nov 2020
  • creditAlessio Della Libera (d3lla)

Introduced: 4 Nov 2020

CVE-2020-7789  (opens in a new tab)
CWE-78  (opens in a new tab)
First added by Snyk

How to fix?

Upgrade org.webjars.npm:node-notifier to version 5.4.5 or higher.

Overview

org.webjars.npm:node-notifier is an A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)

Affected versions of this package are vulnerable to Command Injection. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

CVSS Scores

version 3.1