CVE-2020-5282 - Vulnerability Details - OpenCVE

In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the `npm` command which is part of this software package. This allows arbitrary shell execution,which can compromise the bot This is patched in version 1.0.0-beta

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nick Chan Bot Project	Nick Chan Bot

Configuration 1 [-]

OR	cpe:2.3:a:nick_chan_bot_project:nick_chan_bot:1.0.0:beta_pre_11::::::
	cpe:2.3:a:nick_chan_bot_project:nick_chan_bot:1.0.0:beta_pre_7::::::
	cpe:2.3:a:nick_chan_bot_project:nick_chan_bot:1.0.0:beta_pre_8::::::
	cpe:2.3:a:nick_chan_bot_project:nick_chan_bot:1.0.0:beta_pre_9::::::

No data.

References

Link	Providers
https://github.com/Assfugil/nickchanbot/commit/d7dc87523fc8bb6babbf8d636c339193b236a3ba
https://github.com/Assfugil/nickchanbot/security/advisories/GHSA-8xwp-r7pj-cgw3

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-03-25T18:15:14

Updated: 2024-08-04T08:22:09.078Z

Reserved: 2020-01-02T00:00:00

Link: CVE-2020-5282

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-03-25T19:15:15.980

Modified: 2024-11-21T05:33:49.770

Link: CVE-2020-5282

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "nickchanbot", "vendor": "Nick Chan", "versions": [{"status": "affected", "version": "< 1.0.0-beta"}]}], "descriptions": [{"lang": "en", "value": "In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the `npm` command which is part of this software package. This allows arbitrary shell execution,which can compromise the bot This is patched in version 1.0.0-beta"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-25T18:15:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Assfugil/nickchanbot/security/advisories/GHSA-8xwp-r7pj-cgw3"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Assfugil/nickchanbot/commit/d7dc87523fc8bb6babbf8d636c339193b236a3ba"}], "source": {"advisory": "GHSA-8xwp-r7pj-cgw3", "discovery": "UNKNOWN"}, "title": "arbitrary shell execution in Nick Chan Bot", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5282", "STATE": "PUBLIC", "TITLE": "arbitrary shell execution in Nick Chan Bot"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "nickchanbot", "version": {"version_data": [{"version_value": "< 1.0.0-beta"}]}}]}, "vendor_name": "Nick Chan"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the `npm` command which is part of this software package. This allows arbitrary shell execution,which can compromise the bot This is patched in version 1.0.0-beta"}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Assfugil/nickchanbot/security/advisories/GHSA-8xwp-r7pj-cgw3", "refsource": "CONFIRM", "url": "https://github.com/Assfugil/nickchanbot/security/advisories/GHSA-8xwp-r7pj-cgw3"}, {"name": "https://github.com/Assfugil/nickchanbot/commit/d7dc87523fc8bb6babbf8d636c339193b236a3ba", "refsource": "MISC", "url": "https://github.com/Assfugil/nickchanbot/commit/d7dc87523fc8bb6babbf8d636c339193b236a3ba"}]}, "source": {"advisory": "GHSA-8xwp-r7pj-cgw3", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:09.078Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Assfugil/nickchanbot/security/advisories/GHSA-8xwp-r7pj-cgw3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Assfugil/nickchanbot/commit/d7dc87523fc8bb6babbf8d636c339193b236a3ba"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5282", "datePublished": "2020-03-25T18:15:14", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2024-08-04T08:22:09.078Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nick_chan_bot_project:nick_chan_bot:1.0.0:beta_pre_11:*:*:*:*:*:*", "matchCriteriaId": "11AC2378-8131-44F0-8347-5BEBEABC4A99", "vulnerable": true}, {"criteria": "cpe:2.3:a:nick_chan_bot_project:nick_chan_bot:1.0.0:beta_pre_7:*:*:*:*:*:*", "matchCriteriaId": "91A429D2-B851-4611-866D-CD39841C4119", "vulnerable": true}, {"criteria": "cpe:2.3:a:nick_chan_bot_project:nick_chan_bot:1.0.0:beta_pre_8:*:*:*:*:*:*", "matchCriteriaId": "5EC0F894-0755-49AD-ADB5-B410838E0E22", "vulnerable": true}, {"criteria": "cpe:2.3:a:nick_chan_bot_project:nick_chan_bot:1.0.0:beta_pre_9:*:*:*:*:*:*", "matchCriteriaId": "1BB1D112-3880-410B-8E30-D66F9956FC13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the `npm` command which is part of this software package. This allows arbitrary shell execution,which can compromise the bot This is patched in version 1.0.0-beta"}, {"lang": "es", "value": "En Nick Chan Bot versiones anteriores a 1.0.0-beta, se presenta una vulnerabilidad en el comando \"npm\" el cual es parte de este paquete de software. Esto permite una ejecuci\u00f3n de shell arbitraria, lo que puede comprometer al bot. Esto se parche\u00f3 en la versi\u00f3n 1.0.0-beta."}], "id": "CVE-2020-5282", "lastModified": "2024-11-21T05:33:49.770", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-25T19:15:15.980", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Assfugil/nickchanbot/commit/d7dc87523fc8bb6babbf8d636c339193b236a3ba"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/Assfugil/nickchanbot/security/advisories/GHSA-8xwp-r7pj-cgw3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Assfugil/nickchanbot/commit/d7dc87523fc8bb6babbf8d636c339193b236a3ba"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/Assfugil/nickchanbot/security/advisories/GHSA-8xwp-r7pj-cgw3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}