Homepage
About Snyk

Command Injection Affecting aws-lambda package, versions <1.0.5

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.22% (62nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-AWSLAMBDA-540839
  • published 7 Jan 2020
  • disclosed 7 Jan 2020
  • credit JHU System Security Lab
Report a new vulnerability Found a mistake?

Introduced: 7 Jan 2020

CVE-2019-10777 Open this link in a new tab
CWE-78 Open this link in a new tab
First added by Snyk

How to fix?

Upgrade aws-lambda to version 1.0.5 or higher.

Overview

aws-lambda is a command line tool deploy code to AWS Lambda.

Affected versions of this package are vulnerable to Command Injection. The config.FunctioName is used to construct the argument used within the exec function without any sanitization. It is possible for a user to inject arbitrary commands to the zipCmd used within config.FunctionName located in the file lib/main.js (line 78).

PoC by JHU System Security Lab

// aws-lambda-config.lambda
{"FunctionName": "& touch Song &", 
"PATH": "./"}

var root = require("aws-lambda");
root.deploy("aws-lambda-config");

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

NVD

9.8 critical