Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS0yOXhyLXY0Mmotcjk1Ns4AAtcx

thenify before 3.3.1 made use of unsafe calls to `eval`.

Versions of thenify prior to 3.3.1 made use of unsafe calls to eval. Untrusted user input could thus lead to arbitrary code execution on the host. The patch in version 3.3.1 removes calls to eval.

Permalink: https://github.com/advisories/GHSA-29xr-v42j-r956
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yOXhyLXY0Mmotcjk1Ns4AAtcx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: about 2 years ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00213
EPSS Percentile: 0.58818

Identifiers: GHSA-29xr-v42j-r956, CVE-2020-7677
References:

• https://github.com/thenables/thenify/issues/29
• https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a
• https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690
• https://nvd.nist.gov/vuln/detail/CVE-2020-7677
• https://github.com/thenables/thenify/blob/master/index.js%23L17
• https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317
• https://lists.debian.org/debian-lts-announce/2022/09/msg00039.html
• https://lists.fedoraproject.org/archives/list/[email protected]/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/
• https://github.com/advisories/GHSA-29xr-v42j-r956

Repository: https://github.com/thenables/thenify
Blast Radius: 57.8

Affected Packages