Miggo Logo
Miggo Vulnerability Database
CVE-2020-36380

CVE-2020-36380:
Vulnerability in crunch function leads to arbitrary code execution via filePath parameters

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-36380
GHSA ID
GHSA-m7p2-ghfh-pjvx
EPSS Score
0.78008%
CWE
CWE-77
Published
11/1/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
aaptjsnpm<= 1.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability description explicitly mentions the crunch function as the entry point
  2. The GitHub issue (#2) shows exec() being used with raw command construction in index.js
  3. CWEs 77/78 indicate command injection via user-controlled input (filePath)
  4. The attack pattern matches unsafe exec usage with unescaped user-supplied parameters in command strings

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**ptjs is * no** wr*p*r *or **pt. *n issu* w*s *is*ov*r** in t** *run** *un*tion in s**nz*im **ptjs *.*.*, *llows *tt**k*rs to *x**ut* *r*itr*ry *o** vi* t** *il*P*t* p*r*m*t*rs.

Reasoning

*. T** vuln*r**ility **s*ription *xpli*itly m*ntions t** *run** *un*tion *s t** *ntry point *. T** *it*u* issu* (#*) s*ows *x**() **in* us** wit* r*w *omm*n* *onstru*tion in in**x.js *. *W*s **/** in*i**t* *omm*n* inj**tion vi* us*r-*ontroll** input