CVE-2021-34078: OS Command Injection in lifion-verify-deps

June 3, 2022

lifion-verify-dependencies through 1.1.0 is vulnerable to OS command injection via a crafted dependency name on the scanned project’s package.json file.

References

advisory.checkmarx.net/advisory/CX-2021-4785
github.com/advisories/GHSA-rphm-c8gw-3r38
github.com/lifion/lifion-verify-deps/commit/be1133d5b78e3caa0004fa60207013dca4e1bf38
nvd.nist.gov/vuln/detail/CVE-2021-34078

Code Behaviors & Features

Detect and mitigate CVE-2021-34078 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →