CVE-2021-21414
7.7
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
Summary
Prisma is an open source ORM for Node.js & TypeScript. As of today, we are not aware of any Prisma users or external consumers of the @prisma/sdk package who are affected by this security vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. It only affects the getPackedPackage function and this function is not advertised and only used for tests & building our CLI, no malicious code was found after checking our codebase.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| prisma | prisma | < 2.20.0 | affected |
Weaknesses
- CWE-78: {"CWE-78":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/prisma/prisma/security/advisories/GHSA-pxcc-hj8w-fmm7
- https://github.com/prisma/prisma/pull/6245
- https://security.netapp.com/advisory/ntap-20210618-0003/
References
- https://github.com/prisma/prisma/security/advisories/GHSA-pxcc-hj8w-fmm7
- https://github.com/prisma/prisma/pull/6245
- https://security.netapp.com/advisory/ntap-20210618-0003/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.