CVE-2022-0764 — Command injection in strapi

Description

When creating a strapi app using npxcreate-strapi-app, we can inject arbitrary commands through the template cli argument as per the code in this particular [link](https://github.com/strapi/strapi/blob/master/packages/generators/app/lib/utils/fetch-npm-template.js#L13), this happens due to improper sanitization of user input.

How to fix CVE-2022-0764

To remediate CVE-2022-0764, upgrade the affected package to a fixed version below.

—upgrade to 4.1.0 or later

Is CVE-2022-0764 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-0764
PATCHgithub.com/strapi/strapi
WEBgithub.com/strapi/strapi/blob/master/packages/generators/app/lib/utils/fetch-npm-template.js#L13
WEBgithub.com/strapi/strapi/commit/2a3f5e988be6a2c7dae5ac22b9e86d579b462f4c