VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 71 of 78
  • CVE-2020-28447Jul 25, 2022
    risk 0.00cvss epss 0.01

    This affects all versions of package xopen. The injection point is located in line 14 in index.js in the exported function xopen(filepath)

  • CVE-2020-28435Jul 25, 2022
    risk 0.00cvss epss 0.01

    This affects all versions of package ffmpeg-sdk. The injection point is located in line 9 in index.js.

  • CVE-2020-28436Jul 25, 2022
    risk 0.00cvss epss 0.01

    This affects all versions of package google-cloudstorage-commands.

  • CVE-2020-28422Jul 25, 2022
    risk 0.00cvss epss 0.00

    All versions of package git-archive are vulnerable to Command Injection via the exports function.

  • CVE-2020-28438Jul 25, 2022
    risk 0.00cvss epss 0.01

    This affects all versions of package deferred-exec. The injection point is located in line 42 in lib/deferred-exec.js

  • CVE-2020-28446Jul 25, 2022
    risk 0.00cvss epss 0.03

    The package ntesseract before 0.2.9 are vulnerable to Command Injection via lib/tesseract.js.

  • CVE-2020-28443Jul 25, 2022
    risk 0.00cvss epss 0.01

    This affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js.

  • CVE-2022-25900Jul 1, 2022
    risk 0.00cvss epss 0.03

    All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git.

  • CVE-2022-2054Jun 12, 2022
    risk 0.00cvss epss 0.01

    Code Injection in GitHub repository nuitka/nuitka prior to 0.9.

  • CVE-2022-24376Jun 10, 2022
    risk 0.00cvss epss 0.03

    All versions of package git-promise are vulnerable to Command Injection due to an inappropriate fix of a prior [vulnerability](https://security.snyk.io/vuln/SNYK-JS-GITPROMISE-567476) in this package. **Note:** Please note that the vulnerability will not be fixed. The README…

  • CVE-2022-29256May 25, 2022
    risk 0.00cvss epss 0.00

    sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5. If an attacker has the ability to set the value of…

  • CVE-2022-26945May 25, 2022
    risk 0.00cvss epss 0.02

    go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.

  • CVE-2022-29599May 23, 2022
    risk 0.00cvss epss 0.04

    In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

  • CVE-2022-25865May 13, 2022
    risk 0.00cvss epss 0.07

    The package workspace-tools before 0.18.4 are vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranch(remote: string, remoteBranch: string, cwd: string) function, both the remote and remoteBranch parameters are passed to the git fetch…

  • CVE-2022-24437May 1, 2022
    risk 0.00cvss epss 0.04

    The package git-pull-or-clone before 2.0.2 are vulnerable to Command Injection due to the use of the --upload-pack feature of git which is also supported for git clone. The source includes the use of the secure child process API spawn(). However, the outpath parameter passed to…

  • CVE-2022-25866Apr 25, 2022
    risk 0.00cvss epss 0.04

    The package czproject/git-php before 4.0.3 are vulnerable to Command Injection via git argument injection. When calling the isRemoteUrlReadable($url, array $refs = NULL) function, both the url and refs parameters are passed to the git ls-remote subcommand in a way that…

  • CVE-2022-29080Apr 12, 2022
    risk 0.00cvss epss 0.02

    The npm-dependency-versions package through 0.3.0 for Node.js allows command injection if an attacker is able to call dependencyVersions with a JSON object in which pkgs is a key, and there are shell metacharacters in a value.

  • CVE-2022-21235Apr 1, 2022
    risk 0.00cvss epss 0.02

    The package github.com/masterminds/vcs before 1.13.3 are vulnerable to Command Injection via argument injection. When hg is executed, argument strings are passed to hg in a way that additional flags can be set. The additional flags can be used to perform a command injection.

  • CVE-2022-21187Mar 14, 2022
    risk 0.00cvss epss 0.04

    The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command…

  • CVE-2022-24433Mar 11, 2022
    risk 0.00cvss epss 0.04

    The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was…