CVE-2019-5485
published 2019-09-13CVE-2019-5485: NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name.
PriorityP181critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
59.77%
99.0th percentile
NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gitlab | gitlab | — | — |
| gitlabhook_project | gitlabhook | — | — |
| gitlabhook_project | gitlabhook | — | — |
| gitlabhook_project | gitlabhook | 0 – 0.0.17 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Arbitrary commands are injected through the 'repository name' field in the JSON payload sent via HTTP POST to the gitlabhook listener. ↗
- ·The exploit targets gitlabhook version 0.0.17 specifically; other versions may not be vulnerable. ↗
- ·The default listening port for gitlabhook is 3420; defenders should monitor this port for anomalous POST request payloads. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Command Injection in gitlabhook
osv·2019-09-16
CVE-2019-5485 [CRITICAL] Command Injection in gitlabhook
Command Injection in gitlabhook
All versions of `gitlabhook` are vulnerable to Command Injection. The package does not validate input the body of POST request and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system.
## Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
GHSA
Command Injection in gitlabhook
ghsa·2019-09-16
CVE-2019-5485 [CRITICAL] CWE-78 Command Injection in gitlabhook
Command Injection in gitlabhook
All versions of `gitlabhook` are vulnerable to Command Injection. The package does not validate input the body of POST request and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system.
## Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
GitLab
CVE-2019-5485: NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository na
vendor_gitlab·2019-09-13·CVSS 10.0
CVE-2019-5485 [CRITICAL] CWE-78 CVE-2019-5485: NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository na
CVE-2019-5485: NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name.
No detection rules found.
No writeups or analysis indexed.
2019-09-13
Published