CVE-2020-7677
HIGHthenify < 3.3.1 - Remote Code Execution via Unsanitized Name Argument
Title source: llmDescription
This affects the package thenify before 3.3.1. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/09/msg00039.html
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/
Exploit, Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317
Exploit, Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690
Scores
CVSS v3
8.6
EPSS
0.0164
EPSS Percentile
73.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Details
Status
published
Products (6)
debian/debian_linux
10.0
fedoraproject/fedora
36
fedoraproject/fedora
37
npm/thenify
0 - 3.3.1npm
org.webjars.npm/thenify
0 - 3.3.1Maven
thenify_project/thenify
< 3.3.1
Published
Jul 25, 2022
Tracked Since
Feb 18, 2026