Headline
CVE-2019-10800: Snyk Vulnerability Database | Snyk
This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications
snyk-id
SNYK-PYTHON-CODECOV-552149
published
25 Feb 2020
disclosed
25 Feb 2020
credit
Sam Sanoop of Snyk Security Team
How to fix?
Upgrade codecov to version 2.0.16 or higher.
Overview
codecov is a Python report uploader for Codecov.
Affected versions of this package are vulnerable to Command Injection. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method.
PoC by Snyk
codecov --gcov-args='& echo test > vuln1.txt' --gcov-exec='& echo test > vuln2.txt' --gcov-root='& echo test > vuln3.txt' -t foobarRelated news
This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method.