CVE-2020-26222

Published: Nov 13, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

8.7

HIGH

Description

Dependabot is a set of packages for automated dependency management for Ruby, JavaScript, Python, PHP, Elixir, Rust, Java, .NET, Elm and Go. In Dependabot-Core from version 0.119.0.beta1 before version 0.125.1, there is a remote code execution vulnerability in dependabot-common and dependabot-go_modules when a source branch name contains malicious injectable bash code. For example, if Dependabot is configured to use the following source branch name: "/$({curl,127.0.0.1})", Dependabot will make a HTTP request to the following URL: 127.0.0.1 when cloning the source repository. The fix was applied to version 0.125.1. As a workaround, one can escape the branch name prior to passing it to the Dependabot::Source class.

Vendor	Product	Versions
dependabot	dependabot-core	affected `< 0.125.1`

Weaknesses (CWE)

CWE-74

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/dependabot/dependabot-core/security/advisories/GHSA-23f7-99jx-m54r

x_refsource_CONFIRM

https://github.com/dependabot/dependabot-core/pull/2727

x_refsource_MISC

https://github.com/dependabot/dependabot-core/commit/e089116abbe284425b976f7920e502b8e83a61b5

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-26222

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References