logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2020-26222 dependabot-omnibus

Package

Manager: gem
Name: dependabot-omnibus
Vulnerable Version: >=0.119.0.beta1 <0.125.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00623 pctl0.69228

Details

Remote code execution in dependabot-core branch names when cloning ### Impact Remote code execution vulnerability in `dependabot-common` and `dependabot-go_modules` when a source branch name contains malicious injectable bash code. For example, if Dependabot is configured to use the following source branch name: `"/$({curl,127.0.0.1})"`, Dependabot will make a HTTP request to the following URL: 127.0.0.1 when cloning the source repository. When Dependabot is configured to clone the source repository during an update, Dependabot runs a shell command to git clone the repository: ```bash git clone --no-tags --no-recurse-submodules --depth=1 --branch=<BRANCH> --single-branch <GITHUB_REPO_URL> repo/contents/path ``` Dependabot will always clone the source repository for `go_modules` during the file fetching step and can be configured to clone the repository for other package managers using the `FileFetcher` class from `dependabot-common`. ```ruby source = Dependabot::Source.new( provider: "github", repo: "repo/name", directory: "/", branch: "/$({curl,127.0.0.1})", ) repo_contents_path = "./file/path" fetcher = Dependabot::FileFetchers.for_package_manager("bundler"). new(source: source, credentials: [], repo_contents_path: repo_contents_path) fetcher.clone_repo_contents ``` ### Patches The fix was applied to version `0.125.1`: https://github.com/dependabot/dependabot-core/pull/2727 ### Workarounds Escape the branch name prior to passing it to the `Dependabot::Source` class. For example using `shellwords`: ```ruby require "shellwords" branch = Shellwords.escape("/$({curl,127.0.0.1})") source = Dependabot::Source.new( provider: "github", repo: "repo/name", directory: "/", branch: branch, ) ```

Metadata

Created: 2020-11-13T15:47:50Z
Modified: 2023-05-16T16:04:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-23f7-99jx-m54r/GHSA-23f7-99jx-m54r.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-23f7-99jx-m54r
Finding: F184
Auto approve: 1