High severityNVD Advisory· Published Apr 29, 2021· Updated Aug 3, 2024
Command injection vulnerability in @prisma/sdk in getPackedPackage function
CVE-2021-21414
Description
Prisma is an open source ORM for Node.js & TypeScript. As of today, we are not aware of any Prisma users or external consumers of the @prisma/sdk package who are affected by this security vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. It only affects the getPackedPackage function and this function is not advertised and only used for tests & building our CLI, no malicious code was found after checking our codebase.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@prisma/sdknpm | < 2.20.0 | 2.20.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-pxcc-hj8w-fmm7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21414ghsaADVISORY
- github.com/prisma/prisma/pull/6245ghsax_refsource_MISCWEB
- github.com/prisma/prisma/security/advisories/GHSA-pxcc-hj8w-fmm7ghsax_refsource_CONFIRMWEB
- security.netapp.com/advisory/ntap-20210618-0003ghsaWEB
- security.netapp.com/advisory/ntap-20210618-0003/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.