GHSA-8px5-63x9-5c7p

Source

https://github.com/advisories/GHSA-8px5-63x9-5c7p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-8px5-63x9-5c7p/GHSA-8px5-63x9-5c7p.json

Aliases

CVE-2018-25083

Published

2020-09-03T16:47:30Z

Modified

2023-11-08T04:00:16.322767Z

Details

Versions of pullit prior to 1.4.0 are vulnerable to Command Injection. The package does not validate input on git branch names and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system.

Recommendation

Upgrade to version 1.4.0 or later.

Credits

This vulnerability was discovered by @lirantal

References

https://nvd.nist.gov/vuln/detail/CVE-2018-25083
https://github.com/jkup/pullit/issues/23
https://github.com/jkup/pullit/commit/4fec455774ee08f4dce0ef2ef934ffcc37219bfb
https://hackerone.com/reports/315773
https://github.com/jkup/pullit
https://security.snyk.io/vuln/npm:pullit:20180214

GHSA-8px5-63x9-5c7p

Recommendation

Credits

Affected packages

npm / pullit

Package

Affected ranges