Vulnerability Description
In mversion before 2.0.0, there is a command injection vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This vulnerability is patched by version 2.0.0. Previous releases are deprecated in npm. As a workaround, make sure to escape git commit messages when using the commitMessage option for the update function.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mversion Project | Mversion | < 2.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/mikaelbr/mversion/commit/6c76c9efd27c7ff5a5c6f187e8b7a435c472PatchThird Party Advisory
- https://github.com/mikaelbr/mversion/security/advisories/GHSA-qjg4-w4c6-f6c6Third Party Advisory
- https://github.com/mikaelbr/mversion/commit/6c76c9efd27c7ff5a5c6f187e8b7a435c472PatchThird Party Advisory
- https://github.com/mikaelbr/mversion/security/advisories/GHSA-qjg4-w4c6-f6c6Third Party Advisory
FAQ
What is CVE-2020-4059?
CVE-2020-4059 is a vulnerability with a CVSS score of 7.3 (HIGH). In mversion before 2.0.0, there is a command injection vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This vul...
How severe is CVE-2020-4059?
CVE-2020-4059 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-4059?
Check the references section above for vendor advisories and patch information. Affected products include: Mversion Project Mversion.