VDB
CVE-2020-7677
CVE-2020-7677
PUBLISHED
This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.
EPSS 0.24% · 46.8th percentile
Risk Scores
EPSS Score
0.24%
46.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | node-thenify | 0, 3.3.0-1 |
| Ubuntu:20.04:LTS | node-thenify | 0, 3.3.0-1 |
Timeline
- Jul 18, 2022 CVE Published
- Jul 26, 2022 EPSS Score
- Sep 10, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 11, 2022 EPSS Score
- Jan 26, 2023 EPSS Score
- Mar 14, 2023 EPSS Score
- Apr 29, 2023 EPSS Score
- Jun 14, 2023 EPSS Score
- Jul 30, 2023 EPSS Score
- Sep 14, 2023 EPSS Score
- Oct 30, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-7677 third-party-advisory
- https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690 third-party-advisory
- https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a third-party-advisory
- https://github.com/thenables/thenify/blob/master/index.js%23L17 third-party-advisory
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317 third-party-advisory
- https://ubuntu.com/security/notices/USN-6016-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-7677 third-party-advisory