CVE-2020-7789
Arbitrary Command Execution vulnerability in node-notifier (npm)
What is CVE-2020-7789 About?
The 'node-notifier' package before 8.0.1 on Linux is vulnerable to arbitrary command execution. This vulnerability allows an attacker to run commands due to improper sanitization of array options. It is relatively easy to exploit for an attacker who can control the notification options.
Affected Software
Technical Details
The vulnerability in 'node-notifier' prior to version 8.0.1 on Linux systems arises from insufficient sanitization of the options parameter when it is passed as an array. Specifically, the component responsible for building the command-line arguments to execute external notification tools does not properly escape or quote array elements. An attacker who can control options passed to 'node-notifier' can inject arbitrary shell commands within an array element, which then get executed by the underlying shell, leading to arbitrary command execution with the privileges of the running application.
What is the Impact of CVE-2020-7789?
Successful exploitation may allow attackers to execute arbitrary commands on the affected Linux system, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2020-7789?
Exploitation involves inputting an array with maliciously crafted strings into the 'node-notifier' options parameter. The complexity of exploitation is low, as it relies on basic command injection techniques. Typically, no authentication or specific privileges are required beyond the ability to influence the notification options. This is primarily a local vulnerability, requiring the attacker to have some level of access or control over the application's input, although it could be exposed remotely if an application directly proxies user input to 'node-notifier'. The main constraint is that the vulnerable package must be running on a Linux machine. Risk factors include applications that allow users to customize notification messages or parameters.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7789?
Available Upgrade Options
- node-notifier
- <8.0.1 → Upgrade to 8.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2020-7789
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050371
- https://github.com/mikaelbr/node-notifier/blob/master/lib/utils.js%23L303
- https://github.com/mikaelbr/node-notifier/commit/5d62799dab88505a709cd032653b2320c5813fce
- https://snyk.io/vuln/SNYK-JS-NODENOTIFIER-1035794
- https://osv.dev/vulnerability/GHSA-5fw9-fq32-wv5p
- https://github.com/mikaelbr/node-notifier/blob/master/lib/utils.js%23L303
- https://snyk.io/vuln/SNYK-JS-NODENOTIFIER-1035794
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050371
What are Similar Vulnerabilities to CVE-2020-7789?
Similar Vulnerabilities: CVE-2021-21315 , CVE-2021-29463 , CVE-2022-21696 , CVE-2022-24329 , CVE-2021-3807
