Impact
As of today, we are not aware of any Prisma users or external consumers of the @prisma/sdk
package who are affected by this security vulnerability.
This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.
It only affects the getPackedPackage
function and this function is not advertised and only used for tests & building our CLI, no malicious code was found after checking our codebase.
Patches
Fixed in
- @prisma/sdk@2.20.0 (latest channel)
- @prisma/sdk@2.20.0-dev.29 (dev channel)
References
This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples:
CVE-2020-7646,
CVE-2020-7614,
CVE-2020-7597,
CVE-2019-10778,
CVE-2019-10776,
CVE-2018-16462,
CVE-2018-16461,
CVE-2018-16460,
CVE-2018-13797,
CVE-2018-3786,
CVE-2018-3772,
CVE-2018-3746,
CVE-2017-16100,
CVE-2017-16042.
Pull Request closing this vulnerability #6245
Acknowledgements
This issue was discovered and reported by GitHub Engineer @erik-krogh (Erik Krogh Kristensen).
For more information
If you have any questions or comments about this advisory:
Impact
As of today, we are not aware of any Prisma users or external consumers of the
@prisma/sdk
package who are affected by this security vulnerability.This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.
It only affects the
getPackedPackage
function and this function is not advertised and only used for tests & building our CLI, no malicious code was found after checking our codebase.Patches
Fixed in
References
This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples:
CVE-2020-7646,
CVE-2020-7614,
CVE-2020-7597,
CVE-2019-10778,
CVE-2019-10776,
CVE-2018-16462,
CVE-2018-16461,
CVE-2018-16460,
CVE-2018-13797,
CVE-2018-3786,
CVE-2018-3772,
CVE-2018-3746,
CVE-2017-16100,
CVE-2017-16042.
Pull Request closing this vulnerability #6245
Acknowledgements
This issue was discovered and reported by GitHub Engineer @erik-krogh (Erik Krogh Kristensen).
For more information
If you have any questions or comments about this advisory: