CVE-2020-7677
Arbitrary Code Execution vulnerability in thenify (npm)
What is CVE-2020-7677 About?
This vulnerability in the 'thenify' package allows for Arbitrary Code Execution due to unsafe use of `eval`. Attackers can provide untrusted user input which is then executed, leading to full compromise of the host. Exploiting this flaw is straightforward given the direct use of `eval` with user input.
Affected Software
- thenify
- <3.3.1
- org.webjars.npm:thenify
- <3.3.1
Technical Details
The 'thenify' package, in versions prior to 3.3.1, made direct and unsafe calls to the eval function. This means that any untrusted user input that is processed by thenify and subsequently passed into eval can be executed as code by the underlying system. An attacker can craft malicious input containing JavaScript code, which when evaluated, will run with the privileges of the affected application, leading to arbitrary code execution on the host machine.
What is the Impact of CVE-2020-7677?
Successful exploitation may allow attackers to execute arbitrary code, compromise system integrity and confidentiality, and achieve full control over the affected host.
What is the Exploitability of CVE-2020-7677?
Exploitation of this Arbitrary Code Execution vulnerability is considered low to medium complexity, given the direct use of eval with user-supplied input. There are no significant prerequisites other than the application using the vulnerable 'thenify' version and exposing an input path that feeds into the eval call. Authentication requirements would depend on whether the vulnerable input mechanism is accessible to unauthenticated users or if it requires prior authentication. Privilege requirements typically align with the executing application's privileges. This would primarily be a remote exploitation scenario if the affected application processes user input from a network. The likelihood of exploitation is increased in web applications or services that accept and process various forms of user-provided data.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7677?
Available Upgrade Options
- org.webjars.npm:thenify
- <3.3.1 → Upgrade to 3.3.1
- thenify
- <3.3.1 → Upgrade to 3.3.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2020-7677
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/
- https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a
- https://lists.debian.org/debian-lts-announce/2022/09/msg00039.html
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317
- https://github.com/thenables/thenify/issues/29
- https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690
- https://github.com/thenables/thenify/blob/master/index.js%23L17
- https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a
What are Similar Vulnerabilities to CVE-2020-7677?
Similar Vulnerabilities: CVE-2021-23337 , CVE-2020-7712 , CVE-2017-16042 , CVE-2017-16040 , CVE-2020-7683
