CVE-2025-10283
CRITICAL9.6EPSS 0.07%BBOT's insufficient sanitization issues in gitdumper.py can lead to RCE
發布日:2025/10/9修改日:2025/10/9
描述
### Summary bbot's `gitdumper.py` insufficiently sanitises a `.git/config` file, leading to Remote Code Execution (RCE). bbot's `gitdumper.py` can be made to consume a malicious `.git/index` file, leading to arbitrary file write which can be used to achieve Remote Code Execution (RCE). ### Impact A user who uses bbot to scan a malicious webserver may have arbitrary code executed on their system.
受影響套件(1)
- PyPI/bbotfrom 0, < 2.7.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-10283
- PATCHhttps://github.com/blacklanternsecurity/bbot
- WEBhttps://blog.blacklanternsecurity.com/p/bbot-security-advisory-gitdumper
- WEBhttps://github.com/blacklanternsecurity/bbot/commit/0ede97fa887de33fcfd1378b4213a09c21dc6140
- WEBhttps://github.com/blacklanternsecurity/bbot/security/advisories/GHSA-h6m2-r6h9-4c44