Security issue
mlp73 opened this issue · 1 comments
mlp73 commented
Hi!
I just wanted to bring your attention to the following issue when using jake 10.8.5
Issue
2021-0253
Severity
Sonatype CVSS 37.3
CVE CVSS 2.00.0
Explanation
The jake package is vulnerable to OS Command Injection. The publish task in the publish_task.js file fails to sanitize jakefile contents before using them to construct a command that is executed via execSync(). An attacker with the ability to modify the jakefile.js file can exploit this vulnerability to execute arbitrary commands by creating tasks that contain a combination of shell meta-characters and commands and executing them via the affected fetchTags, getCurrentBranch and version functionalities.