Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oZ3E5LXE4ZzItM2ptZ84AAQKq

Command Injection in VIVO Vitro

SPARQL Injection in VIVO Vitro v1.10.0 allows a remote attacker to execute arbitrary SPARQL via the uri parameter, leading to a regular expression denial of service (ReDoS), as demonstrated by crafted use of FILTER%20regex in a /individual?uri= request.

Permalink: https://github.com/advisories/GHSA-hgq9-q8g2-3jmg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oZ3E5LXE4ZzItM2ptZ84AAQKq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 11 months ago


CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-hgq9-q8g2-3jmg, CVE-2019-6986
References: Repository: https://github.com/vivo-project/Vitro
Blast Radius: 1.0

Affected Packages

maven:org.vivoweb:vitro-project
Dependent packages: 0
Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.11.0
Fixed in: 1.11.0
All affected versions: 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.10.0
All unaffected versions: 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.12.2, 1.13.0, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.15.0