Description

All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function.

Remediation

References

https://security.snyk.io/vuln/SNYK-JS-ISHTTP2-3153878

https://github.com/stefanjudis/is-http2/blob/master/index.js%23L23

Related Vulnerabilities

CVE-2020-7678 Vulnerability in npm package node-import

CVE-2022-31150 Vulnerability in maven package org.webjars.npm:undici

CVE-2023-46654 Vulnerability in maven package org.jenkins-ci.plugins:electricflow

CVE-2020-7754 Vulnerability in npm package npm-user-validate

CVE-2022-34112 Vulnerability in maven package io.dataease:dataease-plugin-common

Severity

High

Classification

CWE-78 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Broken Link