Security vulnerability SONATYPE-2021-0253 in a dependent package: jake-10.8.5
The jake package is vulnerable to OS Command Injection. The publish task in the publish_task.js file fails to sanitize jakefile contents before using them to construct a command that is executed via execSync(). An attacker with the ability to modify the jakefile.js file can exploit this vulnerability to execute arbitrary commands by creating tasks that contain a combination of shell meta-characters and commands and executing them via the affected fetchTags, getCurrentBranch and version functionalities.
Security vulnerability SONATYPE-2021-0253 in a dependent package:
jake-10.8.5The jake package is vulnerable to OS Command Injection. The publish task in the publish_task.js file fails to sanitize jakefile contents before using them to construct a command that is executed via execSync(). An attacker with the ability to modify the jakefile.js file can exploit this vulnerability to execute arbitrary commands by creating tasks that contain a combination of shell meta-characters and commands and executing them via the affected fetchTags, getCurrentBranch and version functionalities.