CVE-2018-25083
EPSS 17.6%pullit vulnerable to command injection
Published: 9/3/2020Modified: 11/8/2023
Also known as:GHSA-8px5-63x9-5c7p
Description
Versions of `pullit` prior to 1.4.0 are vulnerable to Command Injection. The package does not validate input on git branch names and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system. ## Recommendation Upgrade to version 1.4.0 or later. ## Credits This vulnerability was discovered by @lirantal
Affected packages (1)
- npm/pullitfrom 0, < 1.4.0
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-25083
- PATCHhttps://github.com/jkup/pullit
- WEBhttps://github.com/jkup/pullit/commit/4fec455774ee08f4dce0ef2ef934ffcc37219bfb
- WEBhttps://github.com/jkup/pullit/issues/23
- WEBhttps://hackerone.com/reports/315773
- WEBhttps://security.snyk.io/vuln/npm:pullit:20180214