Miggo Logo
Miggo Vulnerability Database
CVE-2020-28446

CVE-2020-28446: ntesseract vulnerable to Command Injection

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-28446
GHSA ID
GHSA-w868-4576-rv24
EPSS Score
0.78376%
CWE
CWE-77
Published
7/26/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ntesseractnpm< 0.2.90.2.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability is explicitly located in lib/tesseract.js according to all sources
  2. The GitHub patch shows modifications to the 'command' function in this file
  3. The pre-patch code directly interpolates user-controlled 'image' parameter into system command arguments without sanitization
  4. The fix adds quote wrapping attempts to mitigate injection (though imperfect)
  5. CWE-77 classification confirms this is a command injection vulnerability in command construction
  6. Snyk's PoC demonstrates exploitation through the process() method which likely calls this command function

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** nt*ss*r**t ***or* *.*.* is vuln*r**l* to *omm*n* Inj**tion vi* li*/t*ss*r**t.js.

Reasoning

*. T** vuln*r**ility is *xpli*itly lo**t** in li*/t*ss*r**t.js ***or*in* to *ll sour**s *. T** *it*u* p*t** s*ows mo*i*i**tions to t** '*omm*n*' *un*tion in t*is *il* *. T** pr*-p*t** *o** *ir**tly int*rpol*t*s us*r-*ontroll** 'im***' p*r*m*t*r into