Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ5dnYtNnE3cS13NWNm

OS Command Injection in Strapi

The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.

Permalink: https://github.com/advisories/GHSA-49vv-6q7q-w5cf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ5dnYtNnE3cS13NWNm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago

CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-49vv-6q7q-w5cf, CVE-2019-19609
References:

Repository: https://github.com/strapi/strapi
Blast Radius: 26.1

Affected Packages

npm:strapi

Dependent packages: 25
Dependent repositories: 4,153
Downloads: 37,064 last month
Affected Version Ranges: <= 3.0.0-beta.17.7
Fixed in: 3.0.0-beta.17.8
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 2.0.1, 2.0.2, 3.0.0-alpha.4.3, 3.0.0-alpha.4.5, 3.0.0-alpha.4.6, 3.0.0-alpha.4.7, 3.0.0-alpha.4.8, 3.0.0-alpha.4.9, 3.0.0-alpha.5, 3.0.0-alpha.5.1, 3.0.0-alpha.5.2, 3.0.0-alpha.5.3, 3.0.0-alpha.5.4, 3.0.0-alpha.5.5, 3.0.0-alpha.6, 3.0.0-alpha.6.1, 3.0.0-alpha.6.2, 3.0.0-alpha.6.3, 3.0.0-alpha.6.4, 3.0.0-alpha.6.5, 3.0.0-alpha.6.6, 3.0.0-alpha.6.7, 3.0.0-alpha.7, 3.0.0-alpha.7.1, 3.0.0-alpha.7.2, 3.0.0-alpha.7.3, 3.0.0-alpha.8, 3.0.0-alpha.8.1, 3.0.0-alpha.8.2, 3.0.0-alpha.8.3, 3.0.0-alpha.9, 3.0.0-alpha.9.1, 3.0.0-alpha.9.2, 3.0.0-alpha.9.3, 3.0.0-alpha.10, 3.0.0-alpha.10.1, 3.0.0-alpha.10.2, 3.0.0-alpha.10.3, 3.0.0-alpha.11, 3.0.0-alpha.11.1, 3.0.0-alpha.11.2, 3.0.0-alpha.11.3, 3.0.0-alpha.12, 3.0.0-alpha.12.0.1, 3.0.0-alpha.12.1, 3.0.0-alpha.12.1.1, 3.0.0-alpha.12.1.2, 3.0.0-alpha.12.1.3, 3.0.0-alpha.12.2, 3.0.0-alpha.12.3, 3.0.0-alpha.12.4, 3.0.0-alpha.12.5, 3.0.0-alpha.12.6, 3.0.0-alpha.12.7, 3.0.0-alpha.12.7.1, 3.0.0-alpha.13, 3.0.0-alpha.13.0.1, 3.0.0-alpha.13.1, 3.0.0-alpha.14, 3.0.0-alpha.14.1, 3.0.0-alpha.14.1.1, 3.0.0-alpha.14.2, 3.0.0-alpha.14.2.1, 3.0.0-alpha.14.3, 3.0.0-alpha.14.4, 3.0.0-alpha.14.4.0, 3.0.0-alpha.14.5, 3.0.0-alpha.15, 3.0.0-alpha.16, 3.0.0-alpha.17, 3.0.0-alpha.18, 3.0.0-alpha.19, 3.0.0-alpha.20, 3.0.0-alpha.21, 3.0.0-alpha.22, 3.0.0-alpha.23, 3.0.0-alpha.23.1, 3.0.0-alpha.24, 3.0.0-alpha.24.1, 3.0.0-alpha.25, 3.0.0-alpha.25.1, 3.0.0-alpha.25.2, 3.0.0-alpha.26, 3.0.0-alpha.26.1, 3.0.0-alpha.26.2, 3.0.0-beta.0, 3.0.0-beta.1, 3.0.0-beta.2, 3.0.0-beta.3, 3.0.0-beta.4, 3.0.0-beta.5, 3.0.0-beta.6, 3.0.0-beta.7, 3.0.0-beta.8, 3.0.0-beta.9, 3.0.0-beta.10, 3.0.0-beta.11, 3.0.0-beta.12, 3.0.0-beta.13, 3.0.0-beta.14, 3.0.0-beta.15, 3.0.0-beta.16, 3.0.0-beta.16.1, 3.0.0-beta.16.2, 3.0.0-beta.16.3, 3.0.0-beta.16.4, 3.0.0-beta.16.5, 3.0.0-beta.16.6, 3.0.0-beta.16.7, 3.0.0-beta.16.8, 3.0.0-beta.17, 3.0.0-beta.17.1, 3.0.0-beta.17.2, 3.0.0-beta.17.3, 3.0.0-beta.17.4, 3.0.0-beta.17.5, 3.0.0-beta.17.6, 3.0.0-beta.17.7
All unaffected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.6.10, 3.6.11