CVE-2019-10778: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

April 14, 2020 (updated August 23, 2021)

devcert-sanscache allows remote attackers to execute arbitrary code or cause a Command Injection via the exec function. The variable commonName controlled by user input is used as part of the exec function without any sanitization.

References

github.com/advisories/GHSA-4gp3-p7ph-x2jr
github.com/guybedford/devcert/commit/571f4e6d077f7f21c6aed655ae380d85a7a5d3b8
nvd.nist.gov/vuln/detail/CVE-2019-10778
snyk.io/vuln/SNYK-JS-DEVCERTSANSCACHE-540926

Detect and mitigate CVE-2019-10778 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →