Due to unvalidated input, an attacker can pass in arbitrary variants via query parameters. This vulnerability has been assigned the CVE identifier CVE-2019-13146.
If an application treats variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS). For instance:
Thanks for field_test, and for patching this vulnerability @ankane!
I work on GitHub's security workflows team and am looking into how we can make it easier for maintainers to publicise security vulnerabilities (and fixes). I'd love your feedback if you have 5 mins to leave a comment. In particular:
did you consider using the "Maintainer Security Advisories" to publicise this vulnerability (and patch)?
if you've never heard of "Maintainer Security Advisories" there are some docs on them here. What would make you consider using them, and is there anything that would stop you using them?
do you have any other thoughts on the process of handling a security vulnerability?
We're trying to make the process easier, particularly for maintainers dealing with a security issue for the first time, so please feel free to mention anything that would have made the process better.
If you'd like to say anything privately you can email me on greysteil@github.com.
Due to unvalidated input, an attacker can pass in arbitrary variants via query parameters. This vulnerability has been assigned the CVE identifier CVE-2019-13146.
Versions Affected: 0.3.0
Fixed Versions: 0.3.1
Versions Unaffected: < 0.3.0
Impact
If an application treats variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS). For instance:
All users running an affected release should upgrade immediately.
The text was updated successfully, but these errors were encountered: