GHSA-5fw9-fq32-wv5p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5fw9-fq32-wv5p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-5fw9-fq32-wv5p/GHSA-5fw9-fq32-wv5p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5fw9-fq32-wv5p
- Aliases
-
- CVE-2020-7789
- SNYK-JAVA-ORGWEBJARSNPM-1050371
- SNYK-JS-NODENOTIFIER-1035794
- Published
- 2020-12-21T16:04:07Z
- Modified
- 2024-09-03T03:41:43.943043Z
- Severity
-
- 5.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- OS Command Injection in node-notifier
- Details
-
This affects the package node-notifier before 8.0.1. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-7789
- https://github.com/mikaelbr/node-notifier/commit/5d62799dab88505a709cd032653b2320c5813fce
- https://github.com/mikaelbr/node-notifier/blob/master/lib/utils.js%23L303
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050371
- https://snyk.io/vuln/SNYK-JS-NODENOTIFIER-1035794
Affected packages
npm / node-notifier
Package
- Name
- node-notifier
- View open source insights on deps.dev
- Purl
- pkg:npm/node-notifier