CVE-2020-7738

All versions of package shiba are vulnerable to Arbitrary Code Execution due to the default usage of the function load() of the package js-yaml instead of its secure replacement , safeLoad().

Published Byreport@snyk.io

Published DateOct 02, 2020, 10:15

Affected Versions(1)

shiba(npm)

Introduced0

FixedN/A

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
shiba(npm)	0	N/A	N/A

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

8.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

LOW

References

https://snyk.io/vuln/SNYK-JS-SHIBA-596466

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

8.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

LOW