CVE-2020-7613

HIGH

clamscan < 1.2.0 - OS Command Injection via _is_clamav_binary Function

Title source: llm

Description

clamscan through 1.2.0 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the `_is_clamav_binary` function located within `Index.js`. It should be noted that this vulnerability requires a pre-requisite that a folder should be created with the same command that will be chained to execute. This lowers the risk of this issue.

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-JS-CLAMSCAN-564113

Third Party Advisory x_refsource_misc

https://github.com/kylefarris/clamscan/blob/master/index.js#L34

View Writeup ZIP pw:eip

Scores

CVSS v3 8.1

EPSS 0.0212

EPSS Percentile 79.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

clamscan_project/clamscan < 1.2.0

npm/clamscan 0 - 1.3.0npm

Published Apr 07, 2020

Tracked Since Feb 18, 2026