CVE-2019-10800

EUVD-2022-0042
This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method.
Argument Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
snykCNA
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
Affected Products (NVD)
VendorProductVersion
codecovcodecov-python
𝑥
< 2.0.16
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/codecov/codecov-python/commit/2a80aa434f74feb31242b6f213b75ce63ae97902
https://snyk.io/vuln/SNYK-PYTHON-CODECOV-552149
https://github.com/codecov/codecov-python/commit/2a80aa434f74feb31242b6f213b75ce63ae97902
https://snyk.io/vuln/SNYK-PYTHON-CODECOV-552149