CVE-2020-36650 — gry vulnerable to Command Injection

Description

A vulnerability, which was classified as critical, was found in IonicaBizau node-gry up to 5.x. This affects an unknown part. The manipulation leads to command injection. Upgrading to version 6.0.0 is able to address this issue. The name of the patch is 5108446c1e23960d65e8b973f1d9486f9f9dbd6c. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-218019.

How to fix CVE-2020-36650

To remediate CVE-2020-36650, upgrade the affected package to a fixed version below.

—upgrade to 6.0.0 or later

Is CVE-2020-36650 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 6.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-36650
PATCHgithub.com/IonicaBizau/node-gry
WEBgithub.com/IonicaBizau/node-gry/commit/5108446c1e23960d65e8b973f1d9486f9f9dbd6c
WEBgithub.com/IonicaBizau/node-gry/pull/22
WEB