Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue #416

Open
mlp73 opened this issue Oct 21, 2022 · 1 comment
Open

Security issue #416

mlp73 opened this issue Oct 21, 2022 · 1 comment

Comments

@mlp73
Copy link

mlp73 commented Oct 21, 2022

Hi!
I just wanted to bring your attention to the following issue when using jake 10.8.5

Issue
2021-0253
Severity
Sonatype CVSS 37.3
CVE CVSS 2.00.0

Explanation
The jake package is vulnerable to OS Command Injection. The publish task in the publish_task.js file fails to sanitize jakefile contents before using them to construct a command that is executed via execSync(). An attacker with the ability to modify the jakefile.js file can exploit this vulnerability to execute arbitrary commands by creating tasks that contain a combination of shell meta-characters and commands and executing them via the affected fetchTags, getCurrentBranch and version functionalities.
@bymi15
Copy link

bymi15 commented Oct 25, 2022

Hi @mde would you please be able to look into this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mlp73 @bymi15