Shelljs 0.8.3 and before are vulnerable to Command Injection. Commands can be invoked from shell.exec(), those commands will include input from external sources, to be passed as arguments to system executables and allowing an attacker to inject arbitrary commands.
WS-2017-3737 - Medium Severity Vulnerability
Vulnerable Library - shelljs-0.7.8.tgz
Portable Unix shell commands for Node.js
Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.7.8.tgz
Path to dependency file: /batimagen/package.json
Path to vulnerable library: /tmp/git/batimagen/node_modules/shelljs/package.json
Dependency Hierarchy: - node-virustotal-2.4.2.tgz (Root Library) - :x: **shelljs-0.7.8.tgz** (Vulnerable Library)
Found in HEAD commit: 26e6736935fbc7d62f8a1dd88261f54b72d049c1
Vulnerability Details
Shelljs 0.8.3 and before are vulnerable to Command Injection. Commands can be invoked from shell.exec(), those commands will include input from external sources, to be passed as arguments to system executables and allowing an attacker to inject arbitrary commands.
Publish Date: 2019-06-16
URL: WS-2017-3737
CVSS 2 Score Details (5.5)
Base Score Metrics not available
Step up your Open Source Security Game with WhiteSource here