Miggo Logo

CVE-2020-7636: OS Command Injection in adb-driver

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.74762%
Published
12/9/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
adb-drivernpm<= 0.1.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. Multiple sources (Snyk, NVD, GitHub Advisory) explicitly reference command execution via the 'command function' as the attack vector
  2. The Snyk PoC directly uses execADBCommand with untrusted input
  3. The vulnerability documentation specifies improper neutralization of OS commands (CWE-78)
  4. The file path is confirmed in Snyk's technical analysis pointing to line 26 of build/AdbDriver.js
  5. The function's purpose (executing ADB commands) inherently requires shell invocation, making it susceptible to injection if unsanitized

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

***-*riv*r t*rou** *.*.* is vuln*r**l* to *omm*n* Inj**tion.It *llows *x**ution o* *r*itr*ry *omm*n*s vi* t** *omm*n* *un*tion.

Reasoning

*. Multipl* sour**s (Snyk, NV*, *it*u* **visory) *xpli*itly r***r*n** *omm*n* *x**ution vi* t** '*omm*n* *un*tion' *s t** *tt**k v**tor *. T** Snyk Po* *ir**tly us*s *x******omm*n* wit* untrust** input *. T** vuln*r**ility *o*um*nt*tion sp**i*i*s imp