GHSA-8px5-63x9-5c7p

Suggest an improvement
Source
https://github.com/advisories/GHSA-8px5-63x9-5c7p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-8px5-63x9-5c7p/GHSA-8px5-63x9-5c7p.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8px5-63x9-5c7p
Aliases
Published
2020-09-03T16:47:30Z
Modified
2023-11-08T04:00:16.322767Z
Summary
pullit vulnerable to command injection
Details

Versions of pullit prior to 1.4.0 are vulnerable to Command Injection. The package does not validate input on git branch names and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system.

Recommendation

Upgrade to version 1.4.0 or later.

Credits

This vulnerability was discovered by @lirantal

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-77"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:43:46Z"
}
References

Affected packages

npm / pullit

Package

Name
pullit
View open source insights on deps.dev
Purl
pkg:npm/pullit

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0