CVE-2020-7624 – effect

Package

Manager: npm
Name: effect
Vulnerable Version: <0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: N/A

EPSS: 0.01227 pctl0.78372

Details

Withdrawn Advisory: OS Command Injection in effect ## Withdrawn Advisory This advisory has been withdrawn because the [npm package effect](https://www.npmjs.com/package/effect), for which alerts were issued, does not correspond with https://github.com/Javascipt/effect, the repository with the vulnerable code. https://github.com/Javascipt/effect is not in any [supported ecosystem](https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#github-reviewed-advisories). Additionally, the CVE Numbering Authority that issued the CVE for CVE-2020-7624 has updated [their advisory](https://snyk.io/vuln/SNYK-JS-EFFECT-564256) stating that "This was deemed not a vulnerability." ## Original Description effect through 1.0.4 is vulnerable to Command Injection. It allows execution of arbitrary command via the options argument.

Metadata

Created: 2022-02-10T23:45:54Z
Modified: 2024-06-04T18:24:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-6hr9-4692-fch9/GHSA-6hr9-4692-fch9.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-6hr9-4692-fch9
Finding: N/A
Auto approve: 0