Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.
execa:0.7.0Uncontrolled Search Path Element in execa
Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application. Severity:
Critical
Project: **** ) Tool: Dependency Scanning Scanner: Gemnasium Location File: /package-lock.json) Links
https://github.com/sindresorhus/execa/releases/tag/v2.0.0
Identifiers
Gemnasium-05cfa2e8-2d0c-42c1-8894-638e2f12ff3d
Uncontrolled Search Path Element in execa
Description
Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting
preferLocal=truewhich makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.Severity:
Critical
Location
Links
Identifiers
Solution
Upgrade to version 2.0.0 or above.
Evidence
Vulnerable Package
execa:0.7.0Uncontrolled Search Path Element in execa Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application. Severity: Critical Project: **** ) Tool: Dependency Scanning Scanner: Gemnasium Location File: /package-lock.json) Links https://github.com/sindresorhus/execa/releases/tag/v2.0.0 Identifiers Gemnasium-05cfa2e8-2d0c-42c1-8894-638e2f12ff3d
Solution Upgrade to version 2.0.0 or above.