CVE-2020-26301: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

September 21, 2021

ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed

References

github.com/advisories/GHSA-652h-xwhf-q4h6
github.com/mscdex/ssh2/commit/f763271f41320e71d5cbee02ea5bc6a2ded3ca21
nvd.nist.gov/vuln/detail/CVE-2020-26301
securitylab.github.com/advisories/GHSL-2020-123-mscdex-ssh2/
www.npmjs.com/package/ssh2

Code Behaviors & Features

Detect and mitigate CVE-2020-26301 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →