CVE-2020-7613 – clamscan

Package

Manager: npm
Name: clamscan
Vulnerable Version: >=0 <1.3.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.01803 pctl0.82084

Details

Clamscan vulnerable to command injection clamscan through 1.2.0 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the `_is_clamav_binary` function located within `Index.js`. It should be noted that this vulnerability requires a pre-requisite that a folder should be created with the same command that will be chained to execute. This lowers the risk of this issue.

Metadata

Created: 2022-05-24T17:13:40Z
Modified: 2023-10-19T18:32:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5v25-xr56-phph/GHSA-5v25-xr56-phph.json
CWE IDs: ["CWE-74", "CWE-78"]
Alternative ID: GHSA-5v25-xr56-phph
Finding: F404
Auto approve: 1