CVE-2020-7602: Injection Vulnerability

March 15, 2020 (updated July 21, 2021)

node-prompt-here allows execution of arbitrary commands. The runCommand() is called by getDevices() function in file linux/manager.js, which is required by the index. process.env.NM_CLI in the file linux/manager.js. This function is used to construct the argument of function execSync(), which can be controlled by users without any sanitization.

References

nvd.nist.gov/vuln/detail/CVE-2020-7602

Code Behaviors & Features

Detect and mitigate CVE-2020-7602 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →