Description
In aws-lambda versions prior to version 1.0.5, the "config.FunctioName" is used to construct the argument used within the "exec" function without any sanitization. It is possible for a user to inject arbitrary commands to the "zipCmd" used within "config.FunctionName".
Remediation
References
https://snyk.io/vuln/SNYK-JS-AWSLAMBDA-540839
Related Vulnerabilities
CVE-2020-7642 Vulnerability in npm package lazysizes
CVE-2019-10344 Vulnerability in maven package io.jenkins:configuration-as-code
CVE-2020-13954 Vulnerability in maven package org.apache.cxf:cxf-rt-transports-http
CVE-2016-0779 Vulnerability in maven package org.apache.tomee:arquillian-tomee-common