CVE-2019-10777: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

February 14, 2020 (updated August 19, 2021)

In aws-lambda versions, the “config.FunctioName” is used to construct the argument used within the “exec” function without any sanitization. It is possible for a user to inject arbitrary commands to the “zipCmd” used within “config.FunctionName”.

References

github.com/advisories/GHSA-934x-72xh-5hrg
github.com/awspilot/cli-lambda-deploy
nvd.nist.gov/vuln/detail/CVE-2019-10777
snyk.io/vuln/SNYK-JS-AWSLAMBDA-540839

Detect and mitigate CVE-2019-10777 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →