PT-2020-21397 — Remote Code Execution in Npm+1 Eslint-Scope+1

PT-2020-21397 · Npm+1 · Eslint-Scope+1

Published

2020-09-01

Updated

2020-09-01

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions eslint-config-airbnb-standard version 2.0.0

Description The issue concerns malicious code found in a bundled version of eslint-scope within eslint-config-airbnb-standard. This malicious code reads the user's .npmrc file and sends its contents to a remote server.

Recommendations For eslint-config-airbnb-standard version 2.0.0, revoke all npm tokens and use a different version of the module.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-506

Related Identifiers

GHSA-M852-866J-69J8

Affected Products

Eslint-Config-Airbnb-Standard

Eslint-Scope

PT-2020-21397 · Npm+1 · Eslint-Scope+1

Weakness Enumeration

Related Identifiers

Affected Products

References · 2