CVE-2020-26284

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-26284
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26284.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-26284
Aliases
Related
Published
2020-12-21T23:15:12Z
Modified
2024-11-21T05:19:45Z
Severity
  • 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's os/exec for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system %PATH% on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (exe or bat) is found in the current working directory at the time of running hugo, the malicious command will be invoked instead of the system one. Windows users who run hugo inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround.

References

Affected packages

Debian:11 / hugo

Package

Name
hugo
Purl
pkg:deb/debian/hugo?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.79.1-1

Ecosystem specific 

{
    "urgency": "unimportant"
}

Debian:12 / hugo

Package

Name
hugo
Purl
pkg:deb/debian/hugo?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.79.1-1

Ecosystem specific 

{
    "urgency": "unimportant"
}

Debian:13 / hugo

Package

Name
hugo
Purl
pkg:deb/debian/hugo?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.79.1-1

Ecosystem specific 

{
    "urgency": "unimportant"
}