PT-2020-19670 · Heroku · Heroku-Addonpool

Published

2020-04-06

Updated

2021-12-09

CVE-2020-7634

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions heroku-addonpool versions 0.1.15 and earlier

Description The issue concerns a Command Injection problem. Specifically, the second parameter of the exported function HerokuAddonPool(id, app, opt) can be controlled by users without any sanitization, allowing for potential command injection attacks.

Recommendations For heroku-addonpool versions 0.1.15 and earlier, consider disabling the HerokuAddonPool function until a patch is available to prevent command injection attacks. Restrict access to the HerokuAddonPool function to minimize the risk of exploitation. Avoid using the app parameter in the HerokuAddonPool function without proper sanitization until the issue is resolved.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2020-7634

GHSA-3Q9X-W53P-JG53

SNYK-JS-HEROKUADDONPOOL-564428

Affected Products

Heroku-Addonpool

PT-2020-19670 · Heroku · Heroku-Addonpool

CVE-2020-7634

Weakness Enumeration

Related Identifiers

Affected Products

References · 7