PT-2020-19649 · Google · Closure-Compiler-Stream

Published

2020-03-15

Updated

2021-07-21

CVE-2020-7603

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions closure-compiler-stream versions 0.1.15 and earlier

Description The issue allows execution of arbitrary commands. The argument options of the exports function in index.js can be controlled by users without any sanitization.

Recommendations For versions 0.1.15 and earlier, consider disabling the exports function in index.js or sanitizing the options argument to prevent arbitrary command execution until a patch is available. Restrict access to the index.js file to minimize the risk of exploitation. Avoid using the options argument in the affected function until the issue is resolved.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2020-7603

GHSA-M647-5WF9-3JP3

SNYK-JS-CLOSURECOMPILERSTREAM-560123

Affected Products

Closure-Compiler-Stream

PT-2020-19649 · Google · Closure-Compiler-Stream

CVE-2020-7603

Weakness Enumeration

Related Identifiers

Affected Products

References · 5