GHSA-8px5-63x9-5c7p

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-8px5-63x9-5c7p/GHSA-8px5-63x9-5c7p.json

Aliases

• CVE-2018-25083

Published

2020-09-03T16:47:30Z

Modified

2023-03-28T23:17:59Z

Details

Versions of pullit prior to 1.4.0 are vulnerable to Command Injection. The package does not validate input on git branch names and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system.

Recommendation

Upgrade to version 1.4.0 or later.

Credits

This vulnerability was discovered by @lirantal

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-25083
• https://github.com/jkup/pullit/issues/23
• https://github.com/jkup/pullit/commit/4fec455774ee08f4dce0ef2ef934ffcc37219bfb
• https://hackerone.com/reports/315773
• https://github.com/jkup/pullit
• https://security.snyk.io/vuln/npm:pullit:20180214