CVE-2020-7604

Vulnerability

CVE-2020-7604 is a command injection vulnerability in the pulverizr package up to version 0.7.0. The flaw resides in lib/job.js, where the filename variable is passed directly to the exec call without any sanitization. An attacker can control the filename input, leading to arbitrary command execution. [1][2]

Exploitation

To exploit, an attacker must first create a file whose name matches the desired command payload. For example, a proof-of-concept uses touch Song as the command, saves it as a filename "&touch Song&&"a.jpg, then triggers the job with that input. The exec call then executes the embedded command. No authentication is required if the attacker can supply input to the function. [1][3]

Impact

Successful exploitation allows an attacker to execute arbitrary system commands in the context of the application. This can lead to data exfiltration, further compromise of the host, or denial of service. CVSS 3.1 base score is 9.8 (Critical). [1][3]

Mitigation

As of the advisory, there is no fixed version for pulverizr; the repository has been archived. Users should avoid using this package and migrate to an alternative solution. [2][3]