PT-2020-18372 · Npm · Npm

Published

2020-03-25

Updated

2020-04-09

CVE-2020-5282

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Nick Chan Bot versions prior to 1.0.0-beta

Description The issue allows for arbitrary shell execution due to a vulnerability in the npm command, which is part of the software package. This can compromise the bot.

Recommendations For versions prior to 1.0.0-beta, update to version 1.0.0-beta to resolve the issue. As a temporary workaround, consider restricting the use of the npm command until the update is applied.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2020-5282

GHSA-8XWP-R7PJ-CGW3

Affected Products

Npm

PT-2020-18372 · Npm · Npm

CVE-2020-5282

Weakness Enumeration

Related Identifiers

Affected Products

References · 5