Miggo Logo
Miggo Vulnerability Database
CVE-2020-28436

CVE-2020-28436: google-cloudstorage-commands Command Injection vulnerability

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-28436
GHSA ID
GHSA-6367-p3v8-7mgw
EPSS Score
0.27834%
CWE
CWE-77
Published
7/26/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
google-cloudstorage-commandsnpm<= 0.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability is command injection (CWE-77) which requires unsanitized input in command execution.
  2. Snyk's PoC specifically shows exploitation via the upload function.
  3. The GitHub advisory links to index.js line 11 which likely contains the vulnerable command construction.
  4. The package's deprecated status and lack of patching confirm the vulnerability resides in existing functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *omm*n* inj**tion vuln*r**ility *****ts *ll v*rsions o* t** **pr***t** p**k*** *oo*l*-*lou*stor***-*omm*n*s.

Reasoning

*. T** vuln*r**ility is *omm*n* inj**tion (*W*-**) w*i** r*quir*s uns*nitiz** input in *omm*n* *x**ution. *. Snyk's Po* sp**i*i**lly s*ows *xploit*tion vi* t** uplo** *un*tion. *. T** *it*u* **visory links to in**x.js lin* ** w*i** lik*ly *ont*ins t*