VDB
CVE-2020-7677
CVE-2020-7677
PUBLISHED
This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.
EPSS 1.05% · 77.9th percentile
Risk Scores
EPSS Score
1.05%
77.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | node-thenify | 0, 3.3.0-1 |
| Ubuntu:20.04:LTS | node-thenify | 0, 3.3.0-1 |
Timeline
- Jul 18, 2022 CVE Published
- Jul 26, 2022 EPSS Score
- Sep 11, 2022 EPSS Score
- Oct 27, 2022 EPSS Score
- Dec 13, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 16, 2023 EPSS Score
- May 2, 2023 EPSS Score
- Jun 18, 2023 EPSS Score
- Aug 4, 2023 EPSS Score
- Sep 19, 2023 EPSS Score
- Nov 5, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-7677 third-party-advisory
- https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690 third-party-advisory
- https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a third-party-advisory
- https://github.com/thenables/thenify/blob/master/index.js%23L17 third-party-advisory
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317 third-party-advisory
- https://ubuntu.com/security/notices/USN-6016-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-7677 third-party-advisory