CVE-2020-15123 – CVE-2020-15123 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2020-15123?

CVE-2020-15123 has a CVSS score of 9.3 (CRITICAL). CVE-2020-15123 is a command injection vulnerability in the codecov npm package that allows attackers to execute arbitrary commands on systems using vulnerable versions. It affects users of codecov-node library versions before 3.7.1, particularly those using the package in build pipelines. The vulnerability exists because the initial fix for CVE-2020-7597 only blocked ampersands, leaving backticks as a viable injection vector.

📋 TL;DR

CVE-2020-15123 is a command injection vulnerability in the codecov npm package that allows attackers to execute arbitrary commands on systems using vulnerable versions. It affects users of codecov-node library versions before 3.7.1, particularly those using the package in build pipelines. The vulnerability exists because the initial fix for CVE-2020-7597 only blocked ampersands, leaving backticks as a viable injection vector.

💻 Affected Systems

Products:

codecov-node

Versions: All versions before 3.7.1

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: The attack surface is limited as exploitation typically requires control over input to the upload method, which in standard use occurs in controlled build environments rather than user-facing applications.

📦 What is this software?

Codecov by Codecov

View all CVEs affecting Codecov →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution with the privileges of the codecov process, potentially leading to complete system compromise, data theft, or lateral movement within the environment.

🟠

Likely Case

Limited command execution within build pipelines, potentially allowing attackers to steal credentials, modify build artifacts, or disrupt CI/CD processes.

🟢

If Mitigated

No impact if properly patched or if input validation prevents malicious payloads from reaching the vulnerable function.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to control input to the vulnerable upload method. Public proof-of-concept exists showing backtick-based command injection bypassing the initial fix.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.1

Vendor Advisory: https://github.com/codecov/codecov-node/security/advisories/GHSA-xp63-6vf5-xf3v

Restart Required: No

Instructions:

1. Update codecov-node package to version 3.7.1 or later. 2. Run 'npm update codecov' or update package.json to specify 'codecov': '>=3.7.1'. 3. Rebuild and redeploy any applications using the library.

🔧 Temporary Workarounds

Input validation wrapper

all

Implement strict input validation for all parameters passed to codecov upload method

Environment isolation

all

Run codecov in isolated containers or sandboxes with minimal privileges

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user-controlled data passed to codecov functions
Run codecov processes with minimal privileges and in isolated environments to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list codecov' to see if version is below 3.7.1

Check Version:

npm list codecov | grep codecov

Verify Fix Applied:

Verify installed version is 3.7.1 or higher using 'npm list codecov'

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns in build logs
Unexpected processes spawned during codecov execution
Failed command injection attempts in application logs

Network Indicators:

Unexpected outbound connections from build servers during codecov execution

SIEM Query:

process.name:codecov AND (process.cmdline:*`* OR process.cmdline:*$(* OR process.cmdline:*&*)

📊 Metadata

CVE ID: CVE-2020-15123

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-78

Published: July 20, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/advisories/GHSA-5q88-cjfq-g2mh Third Party Advisory
https://github.com/codecov/codecov-node/commit/c0711c656686e902af2cd92d6aecc8074de4d83d Patch,Third Party Advisory
https://github.com/codecov/codecov-node/pull/180 Third Party Advisory
https://github.com/codecov/codecov-node/security/advisories/GHSA-xp63-6vf5-xf3v Third Party Advisory
https://lgtm.com/query/7714424068617023832 Exploit,Third Party Advisory
https://github.com/advisories/GHSA-5q88-cjfq-g2mh Third Party Advisory
https://github.com/codecov/codecov-node/commit/c0711c656686e902af2cd92d6aecc8074de4d83d Patch,Third Party Advisory
https://github.com/codecov/codecov-node/pull/180 Third Party Advisory
https://github.com/codecov/codecov-node/security/advisories/GHSA-xp63-6vf5-xf3v Third Party Advisory
https://lgtm.com/query/7714424068617023832 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15123, you might also want to check these: