GHSA-8px5-63x9-5c7p

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-8px5-63x9-5c7p/GHSA-8px5-63x9-5c7p.json
Aliases
  • CVE-2018-25083
Published
2020-09-03T16:47:30Z
Modified
2023-03-28T23:17:59Z
Details

Versions of pullit prior to 1.4.0 are vulnerable to Command Injection. The package does not validate input on git branch names and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system.

Recommendation

Upgrade to version 1.4.0 or later.

Credits

This vulnerability was discovered by @lirantal

References

Affected packages

npm / pullit

pullit

Affected ranges

Type
SEMVER
Events
Introduced
0
Fixed
1.4.0

Affected versions