search

OS2iot / OS2iot-backend

This repository contains the backend to the project OS2iot.
Mozilla Public License 2.0
10 stars 7 forks source link

Fix CVE–2022–0144 #185

Closed debricked[bot] closed 1 year ago

debricked[bot] commented 2 years ago

CVE–2022–0144

Vulnerable dependency:     shelljs (npm)    0.8.4

Vulnerability details

Description ### Improper Privilege Management > The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. ### NVD > shelljs is vulnerable to Improper Privilege Management ### GitHub > Improper Privilege Management in shelljs > > shelljs is vulnerable to Improper Privilege Management
CVSS details - 7.1   |CVSS3 metrics|| |:-|:-| |Attack Vector|**Local**| |Attack Complexity|**Low**| |Privileges Required|**Low**| |User interaction|**None**| |Scope|**Unchanged**| |Confidentiality|**High**| |Integrity|**None**| |Availability|**High**|
References     [NVD - CVE-2022-0144](https://nvd.nist.gov/vuln/detail/CVE-2022-0144)[](https://nvd.nist.gov/vuln/detail/CVE-2022-0144)     [Improper Privilege Management in shelljs · CVE-2022-0144 · GitHub Advisory Database · GitHub](https://github.com/advisories/GHSA-4rq4-32rv-6wp6)[](https://github.com/advisories/GHSA-4rq4-32rv-6wp6)     [fix(exec): lockdown file permissions (#1060) · shelljs/shelljs@d919d22 · GitHub](https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c)[](https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c)     [Improper Privilege Management vulnerability found in shelljs](https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c)[](https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c)     [Trying to get in touch regarding a security issue · Issue #1058 · shelljs/shelljs · GitHub](https://github.com/shelljs/shelljs/issues/1058)[](https://github.com/shelljs/shelljs/issues/1058)     [GitHub - shelljs/shelljs: Portable Unix shell commands for Node.js](https://github.com/shelljs/shelljs)[](https://github.com/shelljs/shelljs)     [shelljs/exec.js at master · shelljs/shelljs · GitHub](https://github.com/shelljs/shelljs/blob/master/src/exec.js#L36L38)[](https://github.com/shelljs/shelljs/blob/master/src/exec.js#L36L38)

 

Related information

:pushpin: Remember! Check the changes to ensure they don't introduce any breaking changes.
:books: Read more about the CVE

 

AramAlsabti commented 1 year ago

Duplicate of https://github.com/OS2iot/OS2IoT-backend/pull/187