6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.014 Low
EPSS
Percentile
86.4%
Remote code execution vulnerability in dependabot-common
and dependabot-go_modules
when a source branch name contains malicious injectable bash code.
For example, if Dependabot is configured to use the following source branch name: "/$({curl,127.0.0.1})"
, Dependabot will make a HTTP request to the following URL: 127.0.0.1 when cloning the source repository.
When Dependabot is configured to clone the source repository during an update, Dependabot runs a shell command to git clone the repository:
git clone --no-tags --no-recurse-submodules --depth=1 --branch=<BRANCH> --single-branch <GITHUB_REPO_URL> repo/contents/path
Dependabot will always clone the source repository for go_modules
during the file fetching step and can be configured to clone the repository for other package managers using the FileFetcher
class from dependabot-common
.
source = Dependabot::Source.new(
provider: "github",
repo: "repo/name",
directory: "/",
branch: "/$({curl,127.0.0.1})",
)
repo_contents_path = "./file/path"
fetcher = Dependabot::FileFetchers.for_package_manager("bundler").
new(source: source, credentials: [],
repo_contents_path: repo_contents_path)
fetcher.clone_repo_contents
The fix was applied to version 0.125.1
: https://github.com/dependabot/dependabot-core/pull/2727
Escape the branch name prior to passing it to the Dependabot::Source
class.
For example using shellwords
:
require "shellwords"
branch = Shellwords.escape("/$({curl,127.0.0.1})")
source = Dependabot::Source.new(
provider: "github",
repo: "repo/name",
directory: "/",
branch: branch,
)
CPE | Name | Operator | Version |
---|---|---|---|
dependabot-common | lt | 0.125.1 | |
dependabot-omnibus | lt | 0.125.1 |
github.com/advisories/GHSA-23f7-99jx-m54r
github.com/dependabot/dependabot-core/commit/e089116abbe284425b976f7920e502b8e83a61b5
github.com/dependabot/dependabot-core/pull/2727
github.com/dependabot/dependabot-core/security/advisories/GHSA-23f7-99jx-m54r
github.com/rubysec/ruby-advisory-db/blob/master/gems/dependabot-common/CVE-2020-26222.yml
github.com/rubysec/ruby-advisory-db/blob/master/gems/dependabot-omnibus/CVE-2020-26222.yml
nvd.nist.gov/vuln/detail/CVE-2020-26222
rubygems.org/gems/dependabot-common
rubygems.org/gems/dependabot-omnibus
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.014 Low
EPSS
Percentile
86.4%