CVE-2020-15123

Name of the Vulnerable Software and Affected Versions codecov versions prior to 3.7.1 codecov-node versions prior to 3.6.5

Description The issue is related to a command injection vulnerability in the upload method of the codecov package. This vulnerability can be exploited using backticks to bypass the sanitizer, allowing for the execution of arbitrary commands. The attack surface is considered low, particularly when the module is used directly in a build pipeline. However, the vulnerability can still be exploited if malicious input is supplied.

Recommendations For codecov versions prior to 3.7.1, update to version 3.7.1 or later to resolve the issue. For codecov-node versions prior to 3.6.5, update to version 3.6.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the gcov-root argument in the lib/codecov.js file to minimize the risk of exploitation.