Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNneDcteGh2Ny01bXgz
Arbitrary Code Execution in eslint-utils
Versions of eslint-utils >=1.2.0 or <1.4.1 are vulnerable to Arbitrary Code Execution. The getStaticValue does not properly sanitize user input allowing attackers to supply malicious input that executes arbitrary code during the linting process. The getStringIfConstant and getPropertyName functions are not affected.
Recommendation
Upgrade to version 1.4.1 or later.
Permalink: https://github.com/advisories/GHSA-3gx7-xhv7-5mx3JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNneDcteGh2Ny01bXgz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 5 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.0036
EPSS Percentile: 0.72513
Identifiers: GHSA-3gx7-xhv7-5mx3, CVE-2019-15657
References:
- https://github.com/mysticatea/eslint-utils/security/advisories/GHSA-3gx7-xhv7-5mx3
- https://nvd.nist.gov/vuln/detail/CVE-2019-15657
- https://eslint.org/blog/2019/08/eslint-v6.2.1-released
- https://github.com/advisories/GHSA-3gx7-xhv7-5mx3
- https://www.npmjs.com/advisories/1118
- https://github.com/mysticatea/eslint-utils/commit/08158db1c98fd71cf0f32ddefbc147e2620e724c
Blast Radius: 62.9
Affected Packages
npm:eslint-utils
Dependent packages: 1,189Dependent repositories: 2,601,363
Downloads: 103,462,293 last month
Affected Version Ranges: >= 1.2.0, < 1.4.1
Fixed in: 1.4.1
All affected versions: 1.2.0, 1.3.0, 1.3.1, 1.4.0
All unaffected versions: 0.0.0, 1.0.0, 1.1.0, 1.4.1, 1.4.2, 1.4.3, 2.0.0, 2.1.0, 3.0.0