CVE-2020-7777: Arbitrary Code Execution

November 23, 2020 (updated December 3, 2020)

This affects all versions of package jsen. If an attacker can control the schema file, it could run arbitrary JavaScript code on the victim machine. In particular the required field of the schema is not properly sanitized. The resulting string that is build based on the schema definition is then passed to a Function.apply();, leading to an Arbitrary Code Execution.

References

nvd.nist.gov/vuln/detail/CVE-2020-7777

Detect and mitigate CVE-2020-7777 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →