CVE-2020-7677
Publication date 25 July 2022
Last updated 24 July 2024
Ubuntu priority
This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| node-thenify | ||
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Fixed 3.3.0-1+deb10u1build0.20.04.1
|
|
| 18.04 LTS bionic |
Fixed 3.3.0-1+deb10u1build0.18.04.1
|
|
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6016-1
- thenify vulnerability
- 13 April 2023
Other references
- https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690
- https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a
- https://github.com/thenables/thenify/blob/master/index.js%23L17
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317
- https://www.cve.org/CVERecord?id=CVE-2020-7677