CVE-2020-7604: Injection Vulnerability

March 15, 2020 (updated July 21, 2021)

pulverizr allows execution of arbitrary commands. Within lib/job.js, the variable filename can be controlled by the attacker. This function uses the variable filename to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command.

References

nvd.nist.gov/vuln/detail/CVE-2020-7604

Code Behaviors & Features

Detect and mitigate CVE-2020-7604 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →