CVE-2019-5485

CRITICAL10.0EPSS 49.6%

Command Injection in gitlabhook

Published: 9/16/2019Modified: 11/8/2023

Description

All versions of `gitlabhook` are vulnerable to Command Injection. The package does not validate input the body of POST request and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system. ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.

Affected packages (1)

npm/gitlabhookfrom 0, <= 0.0.17

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL10.0	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-5485
WEBhttp://packetstormsecurity.com/files/154598/NPMJS-gitlabhook-0.0.17-Remote-Command-Execution.html
WEBhttps://hackerone.com/reports/685447