All versions of gitlabhook are vulnerable to Command Injection. The package does not validate input the body of POST request and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system.
No fix is currently available. Consider using an alternative package until a fix is made available.
{
"cwe_ids": [
"CWE-78"
],
"severity": "CRITICAL",
"github_reviewed_at": "2019-09-16T22:23:36Z",
"github_reviewed": true,
"nvd_published_at": "2019-09-13T18:15:00Z"
}