Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jNnJ4LWd4cXYtdnI1as4AAxTA
nemo-appium vulnerable to OS Command Injection
Versions of the package nemo-appium before 0.0.9 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports.setup' function.
Note: In order to exploit this vulnerability appium-running 0.1.3 has to be installed as one of nemo-appium dependencies.
Permalink: https://github.com/advisories/GHSA-c6rx-gxqv-vr5jJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jNnJ4LWd4cXYtdnI1as4AAxTA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-c6rx-gxqv-vr5j, CVE-2022-21129
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-21129
- https://github.com/paypal/nemo-appium/commit/aa271d36dd5c81baae3c43aa2616c84f0ee4195f
- https://github.com/paypal/nemo-appium/blob/master/index.js%23L27
- https://security.snyk.io/vuln/SNYK-JS-NEMOAPPIUM-3183747
- https://github.com/advisories/GHSA-c6rx-gxqv-vr5j
Blast Radius: 0.0
Affected Packages
npm:nemo-appium
Dependent packages: 1Dependent repositories: 1
Downloads: 29 last month
Affected Version Ranges: < 0.0.9
Fixed in: 0.0.9
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8
All unaffected versions: 0.0.9