Description

An arbitrary code injection vector was found in PouchDB 6.0.4 and lesser via the map/reduce functions used in PouchDB temporary views and design documents. The code execution engine for this branch is not properly sandboxed and may be used to run arbitrary JavaScript as well as system commands.

Remediation

References

https://nodesecurity.io/advisories/143

Related Vulnerabilities

CVE-2020-1912 Vulnerability in npm package hermes-engine

CVE-2016-6812 Vulnerability in maven package org.apache.cxf:cxf-rt-transports-http

CVE-2017-16158 Vulnerability in npm package dcserver

CVE-2021-32696 Vulnerability in npm package striptags

CVE-2018-25031 Vulnerability in npm package swagger-ui

Severity

Critical

Classification

CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory