CVE-2018-25083 – pullit

Package

Manager: npm
Name: pullit
Vulnerable Version: >=0 <1.4.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01094 pctl0.77149

Details

pullit vulnerable to command injection Versions of `pullit` prior to 1.4.0 are vulnerable to Command Injection. The package does not validate input on git branch names and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system. ## Recommendation Upgrade to version 1.4.0 or later. ## Credits This vulnerability was discovered by @lirantal

Metadata

Created: 2020-09-03T16:47:30Z
Modified: 2023-03-28T23:17:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-8px5-63x9-5c7p/GHSA-8px5-63x9-5c7p.json
CWE IDs: ["CWE-77"]
Alternative ID: GHSA-8px5-63x9-5c7p
Finding: F422
Auto approve: 1