Miggo Logo
Miggo Vulnerability Database
CVE-2020-8137

CVE-2020-8137: Code injection in blamer

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-8137
GHSA ID
GHSA-7vm7-j8p7-h346
EPSS Score
0.88891%
CWE
CWE-94
Published
5/6/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
blamernpm<= 1.0.01.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves code injection leading to RCE when processing user input. In Node.js packages, this typically occurs when user input is passed to command execution functions like child_process.exec without proper sanitization. The blamer package's core functionality involves executing git commands, making Blamer.getBlame the most probable location where user input would be incorporated into system commands. The medium confidence reflects the lack of direct patch access, but aligns with the described vulnerability pattern and npm ecosystem practices.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*o** inj**tion vuln*r**ility in *l*m*r *.*.* *n* **rli*r m*y r*sult in r*mot* *o** *x**ution w**n t** input **n ** *ontroll** *y *n *tt**k*r.

Reasoning

T** vuln*r**ility involv*s *o** inj**tion l***in* to R** w**n pro**ssin* us*r input. In `No**.js` p**k***s, t*is typi**lly o**urs w**n us*r input is p*ss** to *omm*n* *x**ution *un*tions lik* `**il*_pro**ss.*x**` wit*out prop*r s*nitiz*tion. T** *l*m
CVE-2020-8137: blamer Input Code Injection RCE | Miggo