Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThweDUtNjN4OS01Yzdw
pullit vulnerable to command injection
Versions of pullit
prior to 1.4.0 are vulnerable to Command Injection. The package does not validate input on git branch names and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system.
Recommendation
Upgrade to version 1.4.0 or later.
Credits
This vulnerability was discovered by @lirantal
Permalink: https://github.com/advisories/GHSA-8px5-63x9-5c7pJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThweDUtNjN4OS01Yzdw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: about 1 year ago
Identifiers: GHSA-8px5-63x9-5c7p, CVE-2018-25083
References:
- https://hackerone.com/reports/315773
- https://github.com/jkup/pullit/issues/23
- https://github.com/jkup/pullit/commit/4fec455774ee08f4dce0ef2ef934ffcc37219bfb
- https://nvd.nist.gov/vuln/detail/CVE-2018-25083
- https://security.snyk.io/vuln/npm:pullit:20180214
- https://github.com/advisories/GHSA-8px5-63x9-5c7p
Blast Radius: 0.0
Affected Packages
npm:pullit
Dependent packages: 1Dependent repositories: 1
Downloads: 17 last month
Affected Version Ranges: < 1.4.0
Fixed in: 1.4.0
All affected versions: 0.0.1, 0.0.2, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.2.1, 1.2.2, 1.3.0
All unaffected versions: 1.4.0, 2.0.0, 2.1.0