CVE-2020-36762

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-36762
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-36762.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-36762
Published
2023-07-18T15:15:11Z
Modified
2025-01-08T10:31:45.499189Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A vulnerability was found in ONS Digital RAS Collection Instrument up to 2.0.27 and classified as critical. Affected by this issue is the function jobs of the file .github/workflows/comment.yml. The manipulation of the argument $COMMENT_BODY leads to os command injection. Upgrading to version 2.0.28 is able to address this issue. The name of the patch is dcaad2540f7d50c512ff2e031d3778dd9337db2b. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-234248.

References

Affected packages

Git / github.com/onsdigital/ras-collection-instrument

Affected ranges

Type
GIT
Repo
https://github.com/onsdigital/ras-collection-instrument
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

1.*

1.2.0
1.2.1
1.2.2

2.*

2.0.1
2.0.10
2.0.11
2.0.12
2.0.13
2.0.15
2.0.16
2.0.17
2.0.18
2.0.19
2.0.2
2.0.20
2.0.21
2.0.22
2.0.23
2.0.24
2.0.25
2.0.26
2.0.27
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9

Other

release_1
release_10
release_11
release_12
release_13
release_14
release_15
release_2
release_3
release_4
release_5
release_6
release_7
release_8
release_9
v1

v1.*

v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.4.0
v1.4.1