Command Injection Affecting buns package, versions *
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.25% (65th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-BUNS-1050389
- published 8 Jan 2021
- disclosed 11 Dec 2020
- credit JHU System Security Lab
Introduced: 11 Dec 2020
CVE-2020-7794 Open this link in a new tabHow to fix?
There is no fixed version for buns
.
Overview
Affected versions of this package are vulnerable to Command Injection. The injection point is located in line 678 in index file lib/index.js
in the exported function install(requestedModule)
.
PoC
var root = require("buns");
var name = "& touch JHU";
root.install(name);
References
CVSS Scores
version 3.1