汇总 codecov 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
历史漏洞主要涉及 命令注入 等安全问题,并影响 软件部署与生产负载 相关场景。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2019-10800 | This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method. | [email protected] | 6.5 | 0.32% | 2022-07-13 | 2024-11-21 |
| CVE-2020-15123 | In codecov (npm package) before version 3.7.1 the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE (CVE-2020-7597 for GHSA-5q88-cjfq-g2mh) was issued but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer. The attack surface is low in this case. Particularly in th | [email protected] | 9.3 | 0.15% | 2020-07-20 | 2024-11-21 |
| CVE-2020-7597 | codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596. | [email protected] | 8.8 | 0.69% | 2020-02-17 | 2024-11-21 |
| CVE-2020-7596 | Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument. | [email protected] | 8.8 | 1.23% | 2020-01-25 | 2024-11-21 |