Description

An arbitrary code injection vector was found in PouchDB 6.0.4 and lesser via the map/reduce functions used in PouchDB temporary views and design documents. The code execution engine for this branch is not properly sandboxed and may be used to run arbitrary JavaScript as well as system commands.

Remediation

References

https://nodesecurity.io/advisories/143

Related Vulnerabilities

CVE-2016-10643 Vulnerability in npm package jstestdriver

CVE-2023-31582 Vulnerability in maven package org.bitbucket.b_c:jose4j

CVE-2023-30094 Vulnerability in npm package total4

CVE-2018-11011 Vulnerability in maven package cc.ryanc:halo

CVE-2013-5960 Vulnerability in maven package org.owasp.esapi:esapi

Severity

Critical

Classification

CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory