Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OS Command Injection in github-todos #5

Closed
dwisiswant0 opened this issue Aug 5, 2021 · 2 comments
Closed

OS Command Injection in github-todos #5

dwisiswant0 opened this issue Aug 5, 2021 · 2 comments
Assignees
@dwisiswant0
Labels
disclosed Disclosure/advisory has been published & disclosed poc Proof-of-concept dropped
Projects
Advisory

Comments

@dwisiswant0
Copy link
Owner

dwisiswant0 commented Aug 5, 2021
edited
Loading

Description

naholyr github-todos <= 3.1.0 is vulnerable to command injection. The range argument for the _hook subcommand is concatenated without any validation, and is directly used by the exec function.

CVE ID: CVE-2021-44684

Proof-of-Concept

PoC

Impact

This issue may lead to arbitrary command execution.

References
@dwisiswant0 dwisiswant0 self-assigned this Aug 5, 2021
@dwisiswant0 dwisiswant0 added the needs triage Coordinated disclosure that need to be triaged label Aug 5, 2021
@dwisiswant0 dwisiswant0 added this to Needs triage in Advisory via automation Aug 5, 2021
@github-actions
Copy link

github-actions bot commented Dec 4, 2021

It seems like it's been 120-day, has this disclosure not received a response from the vendor yet? Please make a decision in the next 2-day.

@github-actions github-actions bot added the deadline Disclosure deadline (120-day) reached & make a decision for disclosure label Dec 4, 2021
@dwisiswant0
Copy link
Owner Author

CVE requested.

@dwisiswant0 dwisiswant0 moved this from Needs triage to Decision in Advisory Dec 4, 2021
@dwisiswant0 dwisiswant0 added TBD Advisory to be determined and removed needs triage Coordinated disclosure that need to be triaged labels Dec 4, 2021
@github-actions github-actions bot removed TBD Advisory to be determined deadline Disclosure deadline (120-day) reached & make a decision for disclosure labels Dec 5, 2021
@dwisiswant0 dwisiswant0 added TBD Advisory to be determined disclosed Disclosure/advisory has been published & disclosed and removed TBD Advisory to be determined labels Dec 6, 2021
@dwisiswant0 dwisiswant0 changed the title OS Command Injection in huntr#ff22097b-76e7-4c58-bf41-8ec94a713562 OS Command Injection in github-todos Dec 6, 2021
Advisory automation moved this from Decision to Disclosed Dec 6, 2021
@dwisiswant0 dwisiswant0 added the poc Proof-of-concept dropped label Dec 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dwisiswant0 dwisiswant0

Labels
disclosed Disclosure/advisory has been published & disclosed poc Proof-of-concept dropped
Projects
Advisory
Disclosed
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dwisiswant0