CVE-2019-5485 – gitlabhook

Package

Manager: npm
Name: gitlabhook
Vulnerable Version: >=0 <=0.0.17

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.53857 pctl0.97923

Details

Command Injection in gitlabhook All versions of `gitlabhook` are vulnerable to Command Injection. The package does not validate input the body of POST request and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system. ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.

Metadata

Created: 2019-09-16T22:24:02Z
Modified: 2023-06-01T19:46:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-549f-73hh-mj38/GHSA-549f-73hh-mj38.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-549f-73hh-mj38
Finding: F404
Auto approve: 1