CVE-2018-25083

描述

Versions of `pullit` prior to 1.4.0 are vulnerable to Command Injection. The package does not validate input on git branch names and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system. ## Recommendation Upgrade to version 1.4.0 or later. ## Credits This vulnerability was discovered by @lirantal

受影響套件(1)

• npm/pullitfrom 0, < 1.4.0

參考連結(6)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-25083
• PATCHhttps://github.com/jkup/pullit
• WEBhttps://github.com/jkup/pullit/commit/4fec455774ee08f4dce0ef2ef934ffcc37219bfb
• WEBhttps://github.com/jkup/pullit/issues/23
• WEBhttps://hackerone.com/reports/315773
• WEBhttps://security.snyk.io/vuln/npm:pullit:20180214