Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Remote code execution in dependabot-core
Vulnerability Description
Dependabot is a set of packages for automated dependency management for Ruby, JavaScript, Python, PHP, Elixir, Rust, Java, .NET, Elm and Go. In Dependabot-Core from version 0.119.0.beta1 before version 0.125.1, there is a remote code execution vulnerability in dependabot-common and dependabot-go_modules when a source branch name contains malicious injectable bash code. For example, if Dependabot is configured to use the following source branch name: "/$({curl,127.0.0.1})", Dependabot will make a HTTP request to the following URL: 127.0.0.1 when cloning the source repository. The fix was applied to version 0.125.1. As a workaround, one can escape the branch name prior to passing it to the Dependabot::Source class.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
Dependabot 注入漏洞
Vulnerability Description
Dependabot是一个开源的项目。Dependabot Core用于更新GitHub(包括GitHub Enterprise),GitLab和Azure DevOps上的依赖关系的逻辑。 Dependabot Dependabot-Core 0.125.1之前的版本0.119.0.beta1版本存在安全漏洞,该漏洞源于当源分支名称包含恶意的可注入bash代码时,dependabot-common和Dependabot-go_modules中存在一个远程执行代码漏洞。
CVSS Information
N/A
Vulnerability Type
N/A