Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yOXhyLXY0Mmotcjk1Ns4AAtcx
thenify before 3.3.1 made use of unsafe calls to `eval`.
Versions of thenify prior to 3.3.1 made use of unsafe calls to eval. Untrusted user input could thus lead to arbitrary code execution on the host. The patch in version 3.3.1 removes calls to eval.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yOXhyLXY0Mmotcjk1Ns4AAtcx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-29xr-v42j-r956, CVE-2020-7677
References:
- https://github.com/thenables/thenify/issues/29
- https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a
- https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690
- https://nvd.nist.gov/vuln/detail/CVE-2020-7677
- https://github.com/thenables/thenify/blob/master/index.js%23L17
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317
- https://lists.debian.org/debian-lts-announce/2022/09/msg00039.html
- https://lists.fedoraproject.org/archives/list/[email protected]/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/
- https://github.com/advisories/GHSA-29xr-v42j-r956
Blast Radius: 57.8
Affected Packages
maven:org.webjars.npm:thenify
Dependent packages: 3Dependent repositories: 0
Downloads:
Affected Version Ranges: < 3.3.1
Fixed in: 3.3.1
All affected versions: 3.1.0, 3.3.0
All unaffected versions: 3.3.1
npm:thenify
Dependent packages: 342Dependent repositories: 626,473
Downloads: 49,861,860 last month
Affected Version Ranges: < 3.3.1
Fixed in: 3.3.1
All affected versions: 1.0.0, 2.0.0, 3.0.0, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.3.0
All unaffected versions: 3.3.1