Описание
pullit vulnerable to command injection
Versions of pullit prior to 1.4.0 are vulnerable to Command Injection. The package does not validate input on git branch names and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system.
Recommendation
Upgrade to version 1.4.0 or later.
Credits
This vulnerability was discovered by @lirantal
Пакеты
Наименование
pullit
npm
Затронутые версииВерсия исправления
< 1.4.0
1.4.0
Связанные уязвимости
CVSS3: 9.8
nvd
почти 3 года назад
The pullit package before 1.4.0 for Node.js allows OS Command Injection because eval is used on an attacker-supplied Git branch name.