CVE-2020-7636: OS Command Injection in adb-driver
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.74762%
CWE
Published
12/9/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
adb-driver | npm | <= 0.1.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- Multiple sources (Snyk, NVD, GitHub Advisory) explicitly reference command execution via the 'command function' as the attack vector
- The Snyk PoC directly uses execADBCommand with untrusted input
- The vulnerability documentation specifies improper neutralization of OS commands (CWE-78)
- The file path is confirmed in Snyk's technical analysis pointing to line 26 of build/AdbDriver.js
- The function's purpose (executing ADB commands) inherently requires shell invocation, making it susceptible to injection if unsanitized