Miggo Logo

CVE-2020-7784: Command injection in ts-process-promises

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.65538%
Published
1/13/2021
Updated
9/8/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ts-process-promisesnpm= 1.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. Multiple sources (GitHub Advisory, NVD, Snyk) identify line 45 in lib/process-promises.js as the injection point.
  2. The PoC demonstrates vulnerability through the exec function call (a.exec('touch JHU', {})).
  3. CWE-77 classification confirms command injection pattern.
  4. The function name 'exec' aligns with Node.js child_process.exec patterns where command injection vulnerabilities commonly occur when input isn't sanitized.
  5. Lack of patching indicates the vulnerable function remains unmodified in all versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsions o* p**k*** ts-pro**ss-promis*s. T** inj**tion point is lo**t** in lin* ** in m*in *ntry o* p**k*** in li*/pro**ss-promis*s.js.

Reasoning

*. Multipl* sour**s (*it*u* **visory, NV*, Snyk) i**nti*y lin* ** in li*/pro**ss-promis*s.js *s t** inj**tion point. *. T** Po* **monstr*t*s vuln*r**ility t*rou** t** *x** *un*tion **ll (*.*x**('tou** J*U', {})). *. *W*-** *l*ssi*i**tion *on*irms *om