CVE-2020-26222 Information
Description
Dependabot is a set of packages for automated dependency management for Ruby JavaScript Python PHP Elixir Rust Java .NET Elm and Go. In Dependabot-Core from version 0.119.0.beta1 before version 0.125.1 there is a remote code execution vulnerability in dependabot-common and dependabot-go_modules when a source branch name contains malicious injectable bash code. For example if Dependabot is configured to use the following source branch name: /$(curl127.0.0.1)\ Dependabot will make a HTTP request to the following URL: 127.0.0.1 when cloning the source repository. The fix was applied to version 0.125.1. As a workaround one can escape the branch name prior to passing it to the Dependabot::Source class.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Reference
https://github.com/dependabot/dependabot-core/security/advisories/GHSA-23f7-99jx-m54r
https://github.com/dependabot/dependabot-core/pull/2727
https://github.com/dependabot/dependabot-core/commit/e089116abbe284425b976f7920e502b8e83a61b5
Dependabot
is
a
set
of
packages
for
automated
dependency
management
for
Ruby
JavaScript
Python
PHP
Elixir
Rust
Java
.NET
Elm
and
Go.
In
Dependabot-Core
from
version
0.119.0.beta1
before
version
0.125.1
there
is
a
remote
code
execution
vulnerability
in
dependabot-common
and
dependabot-go_modules
when
a
source
branch
name
contains
malicious
injectable
bash
code.
For
example
if
Dependabot
is
configured
to
use
the
following
source
branch
name:
/$({curl127.0.0.1})
Dependabot
will
make
a
HTTP
request
to
the
following
URL:
127.0.0.1
when
cloning
the
source
repository.
The
fix
was
applied
to
version
0.125.1.
As
a
workaround
one
can
escape
the
branch
name
prior
to
passing
it
to
the
Dependabot::Source
class.
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
8.8
Share on: