CVE-2020-7609 - OpenCVE

node-rules including 3.0.0 and prior to 5.0.0 allows injection of arbitrary commands. The argument rules of function "fromJSON()" can be controlled by users without any sanitization.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Node-rules Project	Node-rules

Configuration 1 [-]

cpe:2.3:a:node-rules_project:node-rules:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/mithunsatheesh/node-rules/commit/100862223904bb6478fcc33b701c7dee11f7b832	Patch Third Party Advisory
https://github.com/mithunsatheesh/node-rules/commit/100862223904bb6478fcc33b701c7dee11f7b832%2C
https://snyk.io/vuln/SNYK-JS-NODERULES-560426	Exploit Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2020-04-27T21:06:35

Updated: 2020-04-27T21:06:35

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7609

JSON object: View

NVD Information

Status : Modified

Published: 2020-04-27T22:15:12.317

Modified: 2023-11-07T03:26:07.743

Link: CVE-2020-7609

JSON object: View

Redhat Information

No data.

CWE

CWE-94

{"containers": {"cna": {"affected": [{"product": "node-rules", "vendor": "n/a", "versions": [{"status": "affected", "version": "All versions including 3.0.0 and prior to 5.0.0"}]}], "descriptions": [{"lang": "en", "value": "node-rules including 3.0.0 and prior to 5.0.0 allows injection of arbitrary commands. The argument rules of function \"fromJSON()\" can be controlled by users without any sanitization."}], "problemTypes": [{"descriptions": [{"description": "Command Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-27T21:06:35", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/mithunsatheesh/node-rules/commit/100862223904bb6478fcc33b701c7dee11f7b832%2C"}, {"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-NODERULES-560426"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "ID": "CVE-2020-7609", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "node-rules", "version": {"version_data": [{"version_value": "All versions including 3.0.0 and prior to 5.0.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "node-rules including 3.0.0 and prior to 5.0.0 allows injection of arbitrary commands. The argument rules of function \"fromJSON()\" can be controlled by users without any sanitization."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://github.com/mithunsatheesh/node-rules/commit/100862223904bb6478fcc33b701c7dee11f7b832,", "refsource": "MISC", "url": "https://github.com/mithunsatheesh/node-rules/commit/100862223904bb6478fcc33b701c7dee11f7b832,"}, {"name": "https://snyk.io/vuln/SNYK-JS-NODERULES-560426", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-NODERULES-560426"}]}}}}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-7609", "datePublished": "2020-04-27T21:06:35", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2020-04-27T21:06:35", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:node-rules_project:node-rules:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "78601348-9CAF-4DD1-ADFD-7DC02DA207FD", "versionEndExcluding": "5.0.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "node-rules including 3.0.0 and prior to 5.0.0 allows injection of arbitrary commands. The argument rules of function \"fromJSON()\" can be controlled by users without any sanitization."}, {"lang": "es", "value": "node-rules incluyendo versiones 3.0.0 y anteriores a 5.0.0, permite una inyecci\u00f3n de comandos arbitrarios. Las reglas de argumento de la funci\u00f3n \"fromJSON()\" pueden ser controladas por usuarios sin ning\u00fan saneamiento."}], "id": "CVE-2020-7609", "lastModified": "2023-11-07T03:26:07.743", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-27T22:15:12.317", "references": [{"source": "nvd@nist.gov", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/mithunsatheesh/node-rules/commit/100862223904bb6478fcc33b701c7dee11f7b832"}, {"source": "report@snyk.io", "url": "https://github.com/mithunsatheesh/node-rules/commit/100862223904bb6478fcc33b701c7dee11f7b832%2C"}, {"source": "report@snyk.io", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-NODERULES-560426"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}