CVE-2020-7604

Name of the Vulnerable Software and Affected Versions pulverizr versions through 0.7.0

Description The issue exists due to a lack of sanitization of special elements in the Pulverizr package. This allows a remote attacker to execute arbitrary commands in the target system by creating a file with malicious content and the name lib/job.js. The variable filename can be controlled by the attacker, and it is used to construct the argument of the exec call without any sanitization. To exploit this, an attacker needs to create a new file with the same name as the attack command.

Recommendations For versions through 0.7.0, as a temporary workaround, consider disabling the lib/job.js function until a patch is available. Restrict access to the lib/job.js file to minimize the risk of exploitation. Avoid using the variable filename in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.