CVE-2019-10788: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

April 13, 2021

im-metadata allows remote attackers to execute arbitrary commands via the “exec” argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the “exec” function.

References

github.com/Turistforeningen/node-im-metadata/commit/ea15dddbe0f65694bfde36b78dd488e90f246639
github.com/advisories/GHSA-qfxv-qqvg-24pg
nvd.nist.gov/vuln/detail/CVE-2019-10788
snyk.io/vuln/SNYK-JS-IMMETADATA-544184

Detect and mitigate CVE-2019-10788 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →