CVE-2020-7677 — HIGH (8.6) — White Hats Nepal

Q: How severe is CVE-2020-7677?

CVE-2020-7677 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-7677?

Check the references section above for vendor advisories and patch information. Affected products include: Thenify Project Thenify, Debian Debian Linux, Fedoraproject Fedora.

Vulnerability Description

This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.

CVSS Score

8.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Thenify Project	Thenify	< 3.3.1
Debian	Debian Linux	10.0
Fedoraproject	Fedora	36

References

https://github.com/thenables/thenify/blob/master/index.js%23L17Broken Link
https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4Patch
https://lists.debian.org/debian-lts-announce/2022/09/msg00039.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317ExploitThird Party Advisory
https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690ExploitThird Party Advisory
https://github.com/thenables/thenify/blob/master/index.js%23L17Broken Link
https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4Patch
https://lists.debian.org/debian-lts-announce/2022/09/msg00039.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317ExploitThird Party Advisory
https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690ExploitThird Party Advisory

FAQ

What is CVE-2020-7677?

CVE-2020-7677 is a vulnerability with a CVSS score of 8.6 (HIGH). This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sani...

How severe is CVE-2020-7677?

CVE-2020-7677 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-7677?

Check the references section above for vendor advisories and patch information. Affected products include: Thenify Project Thenify, Debian Debian Linux, Fedoraproject Fedora.