Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qZm04LWh3aGctcjZnZ84AAwbj
p4 vulnerable to Command Injection due to improper input sanitization
The package p4 before 0.0.7 is vulnerable to Command Injection via the run() function due to improper input sanitization
Permalink: https://github.com/advisories/GHSA-jfm8-hwhg-r6ggJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qZm04LWh3aGctcjZnZ84AAwbj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 8 months ago
CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-jfm8-hwhg-r6gg, CVE-2022-25171
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25171
- https://github.com/natelong/p4/commit/ae42e251beabf67c00539ec0e1d7aa149ca445fb
- https://security.snyk.io/vuln/SNYK-JS-P4-3167330
- https://github.com/natelong/p4/blob/master/p4.js#23L12
- https://github.com/natelong/p4/blob/master/p4.js%23L12
- https://github.com/advisories/GHSA-jfm8-hwhg-r6gg
Blast Radius: 0.0
Affected Packages
npm:p4
Dependent packages: 1Dependent repositories: 1
Downloads: 37 last month
Affected Version Ranges: < 0.0.7
Fixed in: 0.0.7
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6
All unaffected versions: 0.0.7