PT-2020-1960 · Gulp · Gulp-Scss-Lint

Published

2020-02-15

Updated

2021-07-21

CVE-2020-7601

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions gulp-scss-lint versions 1.0.0 and earlier

Description The issue exists due to the lack of measures to neutralize special elements used in the operating system command. This allows a remote attacker to execute arbitrary commands by injecting them into the exec function located in src/command.js via the provided options.

Recommendations For versions 1.0.0 and earlier, consider disabling the exec function in src/command.js until a patch is available to prevent exploitation. Restrict access to the src/command.js file to minimize the risk of arbitrary command execution. Avoid using the exec function with untrusted input to prevent command injection.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

BDU:2020-01258

CVE-2020-7601

GHSA-G4HJ-R7R3-9RWV

SNYK-JS-GULPSCSSLINT-560114

Affected Products

Gulp-Scss-Lint

PT-2020-1960 · Gulp · Gulp-Scss-Lint

CVE-2020-7601

Weakness Enumeration

Related Identifiers

Affected Products

References · 8