Miggo Logo

CVE-2020-7597: codecov NPM module allows remote attackers to execute arbitrary commands

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.70798%
Published
2/19/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
codecovnpm< 3.6.53.6.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how the 'gcov-root' parameter is handled in command construction. The commit diff shows the vulnerable code used validator.escape() for sanitization, which doesn't prevent command injection via operators like '&'. The patch introduced a custom sanitizeVar function to remove ampersands, confirming the attack vector. The exec function executes the constructed command string containing user-controlled input, making the upload function the primary vulnerable point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*o***ov-no** npm mo*ul* ***or* *.*.* *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *omm*n*s.T** v*lu* provi*** *s p*rt o* t** **ov-root *r*um*nt is *x**ut** *y t** *x** *un*tion wit*in li*/*o***ov.js. T*is vuln*r**ility *xists *u* to *n in*ompl*t* *ix

Reasoning

T** vuln*r**ility st*ms *rom *ow t** '**ov-root' p*r*m*t*r is **n*l** in *omm*n* *onstru*tion. T** *ommit *i** s*ows t** vuln*r**l* *o** us** `v*li**tor.*s**p*()` *or s*nitiz*tion, w*i** *o*sn't pr*v*nt *omm*n* inj**tion vi* op*r*tors lik* '&'. T** p