7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21414

GHSA ID

GHSA-pxcc-hj8w-fmm7

EPSS Score

0.82424%

CWE

CWE-78

Published

4/6/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21414

CVE-2021-21414:
Command injection vulnerability in @prisma/sdk in getPackedPackage function

Impact

As of today, we are not aware of any Prisma users or external consumers of the @prisma/sdk package who are affected by this security vulnerability.

This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

It only affects the getPackedPackage function and this function is not advertised and only used for tests & building our CLI, no malicious code was found after checking our codebase.

Patches

Fixed in

@prisma/sdk@2.20.0 (latest channel)
@prisma/sdk@2.20.0-dev.29 (dev channel)

Pull Request closing this vulnerability https://github.com/prisma/prisma/pull/6245

Acknowledgements

This issue was discovered and reported by GitHub Engineer @erik-krogh (Erik Krogh Kristensen).

For more information

If you have any questions or comments about this advisory:

Create a discussion in the Prisma repository
Email us at security@prisma.io

(GitHub Advisory)

7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21414

GHSA ID

GHSA-pxcc-hj8w-fmm7

EPSS Score

0.82424%

CWE

CWE-78

Published

4/6/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@prisma/sdk	npm	< 2.20.0	2.20.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in getPackedPackage where user-controlled 'packageDir' was unsafely interpolated into a shell command. The patch replaced string concatenation with shell-quote.quote() for argument escaping. The test case demonstrates exploitation via backtick injection in packageDir parameter. Runtime detection would show getPackedPackage processing malicious input during command string construction before the security fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *s o* to**y, w* *r* not *w*r* o* *ny Prism* us*rs or *xt*rn*l *onsum*rs o* t** `@prism*/s*k` p**k*** w*o *r* *****t** *y t*is s**urity vuln*r**ility. T*is issu* m*y l*** to r*mot* *o** *x**ution i* * *li*nt o* t** li*r*ry **lls t** vuln*

Reasoning

T** vuln*r**ility *xists in `**tP**k**P**k***` w**r* us*r-*ontroll** 'p**k****ir' w*s uns***ly int*rpol*t** into * s**ll *omm*n*. T** p*t** r*pl**** strin* *on**t*n*tion wit* `s**ll-quot*.quot*()` *or *r*um*nt *s**pin*. T** t*st **s* **monstr*t*s *xp

7.7

Basic Information

Concerned about an active attack path?

CVE-2021-21414: Command injection vulnerability in @prisma/sdk in getPackedPackage function

Impact

Patches

Acknowledgements

For more information

7.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-21414:
Command injection vulnerability in @prisma/sdk in getPackedPackage function

Vulnerability Intelligence
Miggo AI