CVE-2021-21414 – @prisma/sdk

Package

Manager: npm
Name: @prisma/sdk
Vulnerable Version: >=0 <2.20.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

EPSS: 0.01903 pctl0.82535

Details

Command injection vulnerability in @prisma/sdk in getPackedPackage function ### Impact As of today, we are not aware of any Prisma users or external consumers of the `@prisma/sdk` package who are affected by this security vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. It only affects the `getPackedPackage` function and this function is not advertised and only used for tests & building our CLI, no malicious code was found after checking our codebase. ### Patches Fixed in - @prisma/sdk@2.20.0 (latest channel) - @prisma/sdk@2.20.0-dev.29 (dev channel) Pull Request closing this vulnerability [https://github.com/prisma/prisma/pull/6245](https://github.com/prisma/prisma/pull/6245) ### Acknowledgements This issue was discovered and reported by GitHub Engineer [@erik-krogh (Erik Krogh Kristensen)](https://github.com/erik-krogh). ### For more information If you have any questions or comments about this advisory: - Create a discussion in [the Prisma repository](https://github.com/prisma/prisma/discussions) - Email us at security@prisma.io

Metadata

Created: 2021-04-06T17:25:12Z
Modified: 2021-03-31T18:00:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-pxcc-hj8w-fmm7/GHSA-pxcc-hj8w-fmm7.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-pxcc-hj8w-fmm7
Finding: F404
Auto approve: 1