Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE–2020–15123 #9

Merged
merged 1 commit into from Jul 26, 2022
Merged

Fix CVE–2020–15123 #9

merged 1 commit into from Jul 26, 2022

Conversation

debricked-staging[bot]
Copy link

CVE–2020–15123

Vulnerable dependency:     codecov (npm)    3.1.0

Vulnerability details

Description

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

GitHub

Command injection in codecov (npm package)

Impact

The upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

A similar CVE was issued: CVE-2020-7597, but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the codecov-node project here.

Patches

This has been patched in version 3.7.1

Workarounds

None, however, the attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection.

References

For more information

If you have any questions or comments about this advisory:

NVD

In codecov (npm package) before version 3.7.1 the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE (CVE-2020-7597 for GHSA-5q88-cjfq-g2mh) was issued but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer. The attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection.

CVSS details - 9.3

 

CVSS3 metrics
Attack Vector Network
Attack Complexity Low
Privileges Required None
User interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability None
References

    NVD - CVE-2020-15123
    Command injection in codecov (npm package) · CVE-2020-15123 · GitHub Advisory Database · GitHub
    codecov NPM module allows remote attackers to execute arbitrary commands · CVE-2020-7597 · GitHub Advisory Database · GitHub
    Switch from execSync to execFileSync (#180) · codecov/codecov-node@c0711c6 · GitHub
    Switch from execSync to execFileSync by drazisil · Pull Request #180 · codecov/codecov-node · GitHub
    Command injection in upload method · Advisory · codecov/codecov-node · GitHub
    LGTM

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE

 

@Luffare0 Luffare0 merged commit 1f906f4 into dev Jul 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@Luffare0