Shelljs 0.8.3 and before are vulnerable to Command Injection. Commands can be invoked from shell.exec(), those commands will include input from external sources, to be passed as arguments to system executables and allowing an attacker to inject arbitrary commands.
WS-2017-3737 - Medium Severity Vulnerability
Vulnerable Library - shelljs-0.8.3.tgz
Portable Unix shell commands for Node.js
Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.8.3.tgz
Path to dependency file: /TCSTK-custom-form-app-plugin/package.json
Path to vulnerable library: /tmp/git/TCSTK-custom-form-app-plugin/node_modules/shelljs/package.json
Dependency Hierarchy: - compiler-cli-7.2.15.tgz (Root Library) - :x: **shelljs-0.8.3.tgz** (Vulnerable Library)
Vulnerability Details
Shelljs 0.8.3 and before are vulnerable to Command Injection. Commands can be invoked from shell.exec(), those commands will include input from external sources, to be passed as arguments to system executables and allowing an attacker to inject arbitrary commands.
Publish Date: 2019-06-16
URL: WS-2017-3737
CVSS 2 Score Details (5.5)
Base Score Metrics not available
Step up your Open Source Security Game with WhiteSource here