Version Details and Security Vulnerabilities

📦

codecov

3.6.1

Comparision Betweeen 3.6.1 and 3.6.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

72.07 KB

72.08 KB

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

codecov

3.6.1

Comparision Betweeen 3.6.1 and 3.6.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

72.07 KB

72.08 KB

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 3.6.1 of the package codecov.

All Security Vulnerabilities

All the vulnerabilities related to the version 3.6.1 of the package

Summary:

codecov NPM module allows remote attackers to execute arbitrary commands

Details:

codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.

Details about codecov@3.6.1

Summary:

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov

Details:

Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.

Details about codecov@3.6.1

Summary:

Command injection in codecov (npm package)

Details:

Impact

The upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

A similar CVE was issued: CVE-2020-7597, but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the codecov-node project here.

Patches

This has been patched in version 3.7.1

Workarounds

None, however, the attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection.

References

CVE-2020-7597

For more information

If you have any questions or comments about this advisory:

Details about codecov@3.6.1

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 3.6.1 of the package codecov.

All Security Vulnerabilities

All the vulnerabilities related to the version 3.6.1 of the package

Summary:

codecov NPM module allows remote attackers to execute arbitrary commands

Details:

Details about codecov@3.6.1

Summary:

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov

Details:

Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.

Details about codecov@3.6.1

Summary:

Command injection in codecov (npm package)

Details:

Impact

The upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

A similar CVE was issued: CVE-2020-7597, but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the codecov-node project here.

Patches

This has been patched in version 3.7.1

Workarounds

References

CVE-2020-7597

For more information

If you have any questions or comments about this advisory:

Details about codecov@3.6.1

Version Details and Security Vulnerabilities

codecov

Comparision Betweeen 3.6.1 and 3.6.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

codecov

Comparision Betweeen 3.6.1 and 3.6.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Patches

Workarounds

References

For more information

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Patches

Workarounds

References

For more information

Version Details and Security Vulnerabilities

codecov

Comparision Betweeen 3.6.1 and 3.6.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

codecov

Comparision Betweeen 3.6.1 and 3.6.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

codecov@3.6.1 GHSA-5q88-cjfq-g2mh 8.8

codecov@3.6.1 GHSA-mh2h-6j8q-x246 8.8

codecov@3.6.1 GHSA-xp63-6vf5-xf3v 9.3

Impact

Patches

Workarounds

References

For more information

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

codecov@3.6.1 GHSA-5q88-cjfq-g2mh 8.8

codecov@3.6.1 GHSA-mh2h-6j8q-x246 8.8

codecov@3.6.1 GHSA-xp63-6vf5-xf3v 9.3

Impact

Patches

Workarounds

References

For more information