CVE-2020-7604 — OS Command Injection in pulverizr

Description

pulverizr through 0.7.0 allows execution of arbitrary commands. Within `lib/job.js`, the variable `filename` can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command.

How to fix CVE-2020-7604

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2020-7604 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.7.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-7604
WEBgithub.com/bentruyman/pulverizr/blob/master/lib/job.js#L73
WEBsnyk.io/vuln/SNYK-JS-PULVERIZR-560122