VDB
SNYK-JS-NODENOTIFIER-1035794
SNYK-JS-NODENOTIFIER-1035794
PUBLISHED
CVSS 5.599999904632568 MEDIUM
## Overview [node-notifier](https://www.npmjs.org/package/node-notifier) is an A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback) Affected versions of this package are vulnerable to Command Injection. It allows an attacker to run arbitrary commands on Linux machines due to the `options` params not being sanitised when being passed an array. ## Remediation Upgrade `node-notifier` to version 5.4.5, 8.0.2, 9.0.1 or higher. ## References - [GitHub Commit](https://github.com/mikaelbr/node-notifier/commit/2d3927b200a0fd1721e8b8ad59f84f383d3f0e0a) - [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1906853)
Risk Scores
CVSS v3.1
5.599999904632568
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Nov 4, 2020 CVE Updated
- Dec 13, 2020 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-NODENOTIFIER-1035794 advisory
- https://learn.snyk.io/lesson/malicious-code-injection/ technical
- https://www.npmjs.org/package/node-notifier technical
- https://github.com/mikaelbr/node-notifier/commit/2d3927b200a0fd1721e8b8ad59f84f383d3f0e0a patch
- https://bugzilla.redhat.com/show_bug.cgi?id=1906853 technical