CVE-2021-21414: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

April 6, 2021 (updated June 21, 2021)

Prisma is an open source ORM for Node.This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. It only affects the getPackedPackage function and this function is not advertised and only used for tests & building our CLI, no malicious code was found after checking our codebase.

References

github.com/advisories/GHSA-pxcc-hj8w-fmm7
github.com/prisma/prisma/pull/6245
github.com/prisma/prisma/security/advisories/GHSA-pxcc-hj8w-fmm7
nvd.nist.gov/vuln/detail/CVE-2021-21414
security.netapp.com/advisory/ntap-20210618-0003/

Detect and mitigate CVE-2021-21414 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →