GHSA-549f-73hh-mj38

Suggest an improvement
Source
https://github.com/advisories/GHSA-549f-73hh-mj38
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-549f-73hh-mj38/GHSA-549f-73hh-mj38.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-549f-73hh-mj38
Aliases
  • CVE-2019-5485
Published
2019-09-16T22:24:02Z
Modified
2023-11-08T04:01:37.019569Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Command Injection in gitlabhook
Details

All versions of gitlabhook are vulnerable to Command Injection. The package does not validate input the body of POST request and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Database specific
{
    "cwe_ids": [
        "CWE-78"
    ],
    "severity": "CRITICAL",
    "github_reviewed_at": "2019-09-16T22:23:36Z",
    "github_reviewed": true,
    "nvd_published_at": "2019-09-13T18:15:00Z"
}
References

Affected packages

npm / gitlabhook

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.0.17

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-549f-73hh-mj38/GHSA-549f-73hh-mj38.json"