9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10777

GHSA ID

GHSA-934x-72xh-5hrg

EPSS Score

0.65481%

CWE

CWE-78

Published

2/14/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10777

CVE-2019-10777:
OS command injection in aws-lambda

In aws-lambda versions prior to version 1.0.5, the "config.FunctioName" is used to construct the argument used within the "exec" function without any sanitization. It is possible for a user to inject arbitrary commands to the "zipCmd" used within "config.FunctionName".

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10777

GHSA ID

GHSA-934x-72xh-5hrg

EPSS Score

0.65481%

CWE

CWE-78

Published

2/14/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
aws-lambda	npm	<= 1.0.4	1.0.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsanitized use of config.FunctionName in command construction. The Snyk advisory specifically references line 78 in lib/main.js where zipCmd is built using config.FunctionName. As this is passed directly to exec, the deploy function that orchestrates this process becomes the primary vulnerable entry point. The function name 'deploy' matches the CLI command and module's main interface for deployment operations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *ws-l*m*** v*rsions prior to v*rsion *.*.*, t** "*on*i*.*un*tioN*m*" is us** to *onstru*t t** *r*um*nt us** wit*in t** "*x**" *un*tion wit*out *ny s*nitiz*tion. It is possi*l* *or * us*r to inj**t *r*itr*ry *omm*n*s to t** "zip*m*" us** wit*in "*o

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** us* o* *on*i*.*un*tionN*m* in *omm*n* *onstru*tion. T** Snyk **visory sp**i*i**lly r***r*n**s lin* ** in li*/m*in.js w**r* zip*m* is *uilt usin* *on*i*.*un*tionN*m*. *s t*is is p*ss** *ir**tly to *x**, t** **p

9.8

Basic Information

Concerned about an active attack path?

CVE-2019-10777: OS command injection in aws-lambda

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-10777:
OS command injection in aws-lambda

Vulnerability Intelligence
Miggo AI