Lucene search

GitHub Advisory DatabaseGHSA-X5M6-JH4R-34MV

HistoryFeb 15, 2022 - 1:07 a.m.

Hub Package Arbitrary File Overwrite

2022-02-1501:07:53

CWE-377

GitHub Advisory Database

github.com

3.6 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:P/A:P

0.0004 Low

EPSS

Percentile

5.3%

JSON

The am function in lib/hub/commands.rb in hub before 1.12.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary patch file.

CPENameOperatorVersion
hublt1.12.1
github.com/github/hublt1.12.1

CPE	Name	Operator	Version
	hub	lt	1.12.1
	github.com/github/hub	lt	1.12.1

References

github.com/advisories/GHSA-x5m6-jh4r-34mv

github.com/github/hub/commit/016ec99d25b1cb83cb4367e541177aa431beb600

github.com/mislav/hub/commit/016ec99d25b1cb83cb4367e541177aa431beb600

github.com/mislav/hub/releases/tag/v1.12.1

github.com/rubysec/ruby-advisory-db/blob/master/gems/hub/CVE-2014-0177.yml

nvd.nist.gov/vuln/detail/CVE-2014-0177

3.6 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:P/A:P

0.0004 Low

EPSS

Percentile

5.3%

JSON

Related for GHSA-X5M6-JH4R-34MV