PT-2020-9129 · Amazon · Aws-Lambda

Published

2020-01-08

Updated

2021-05-10

CVE-2019-10777

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions aws-lambda versions prior to 1.0.5

Description The issue allows a user to inject arbitrary commands into the zipCmd used within the config.FunctionName due to a lack of sanitization of the config.FunctionName when constructing the argument for the exec function.

Recommendations For versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the config.FunctionName to minimize the risk of exploitation. Avoid using the config.FunctionName to construct arguments for the exec function until the issue is resolved.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2019-10777

GHSA-934X-72XH-5HRG

SNYK-JS-AWSLAMBDA-540839

Affected Products

Aws-Lambda

PT-2020-9129 · Amazon · Aws-Lambda

CVE-2019-10777

Weakness Enumeration

Related Identifiers

Affected Products

References · 5