CVE-2020-7636: 
JavaScript vulnerability analysis and mitigation

The adb-driver package through version 0.1.8 contains a Command Injection vulnerability (CVE-2020-7636). The vulnerability was discovered and disclosed on April 5, 2020, by the JHU System Security Lab. This security issue affects the Universal Android USB Driver package available through npm (NVD, Snyk).

The vulnerability allows execution of arbitrary commands via the command function. The injection point is specifically located in line 26 of the index file 'build/AdbDriver.js'. The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical) from NVD and 6.5 (Medium) from Snyk. The vulnerability is classified as CWE-74, indicating a command injection weakness (Snyk).

The exploitation of this vulnerability can lead to a total loss of confidentiality, with all resources within the impacted component being potentially exposed to the attacker. While integrity impact is considered low, where modification of data is possible but limited in scope, there is no direct impact on system availability (Snyk).

Currently, there is no fixed version available for the adb-driver package. Users of this package should be aware of the security risk and consider alternative solutions or implement additional security controls (Snyk).