Codecov

codecov

4 CVEs • 3 products

Products (3)

Click to collapse

Toggle

Nodejs Uploader

nodejs_uploader

CVEs (4)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-10800 1Codecov 1Codecov Python Nov 21, 2024 Jul 13, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method.
CVE-2020-15123 1Codecov 1Codecov Nov 21, 2024 Jul 20, 2020 N/A· v4 9.3 CRITICAL· v3 6.8 MEDIUM· v2 In codecov (npm package) before version 3.7.1 the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that conta...Show more In codecov (npm package) before version 3.7.1 the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE (CVE-2020-7597 for GHSA-5q88-cjfq-g2mh) was issued but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer. The attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection.Show less
CVE-2020-7597 1Codecov 1Codecov Nov 21, 2024 Feb 17, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability e...Show more codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.Show less
CVE-2020-7596 1Codecov 1Nodejs Uploader Nov 21, 2024 Jan 25, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.