Description

An arbitrary code injection vector was found in PouchDB 6.0.4 and lesser via the map/reduce functions used in PouchDB temporary views and design documents. The code execution engine for this branch is not properly sandboxed and may be used to run arbitrary JavaScript as well as system commands.

Remediation

References

https://nodesecurity.io/advisories/143

Related Vulnerabilities

CVE-2020-15174 Vulnerability in npm package electron

CVE-2023-44483 Vulnerability in maven package org.apache.santuario:xmlsec

CVE-2017-16008 Vulnerability in maven package org.webjars.npm:i18next

CVE-2023-40817 Vulnerability in maven package org.opencrx:opencrx-core-models

CVE-2019-16544 Vulnerability in maven package org.jenkins-ci.plugins:qmetry-for-jira-test-management

Severity

Critical

Classification

CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory