GHSA-23f7-99jx-m54r

Source

https://github.com/advisories/GHSA-23f7-99jx-m54r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-23f7-99jx-m54r/GHSA-23f7-99jx-m54r.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-23f7-99jx-m54r

Aliases

CVE-2020-26222

Published

2020-11-13T15:47:50Z

Modified

2023-11-06T05:17:39.095575Z

Severity

8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

Remote code execution in dependabot-core branch names when cloning

Details

Impact

Remote code execution vulnerability in dependabot-common and dependabot-go_modules when a source branch name contains malicious injectable bash code.

For example, if Dependabot is configured to use the following source branch name: "/$({curl,127.0.0.1})", Dependabot will make a HTTP request to the following URL: 127.0.0.1 when cloning the source repository.

When Dependabot is configured to clone the source repository during an update, Dependabot runs a shell command to git clone the repository:

git clone --no-tags --no-recurse-submodules --depth=1 --branch=<BRANCH> --single-branch <GITHUB_REPO_URL> repo/contents/path

Dependabot will always clone the source repository for go_modules during the file fetching step and can be configured to clone the repository for other package managers using the FileFetcher class from dependabot-common.

source = Dependabot::Source.new(
  provider: "github",
  repo: "repo/name",
  directory: "/",
  branch: "/$({curl,127.0.0.1})",
)

repo_contents_path = "./file/path"
fetcher = Dependabot::FileFetchers.for_package_manager("bundler").
                  new(source: source, credentials: [],
                  repo_contents_path: repo_contents_path)
fetcher.clone_repo_contents

Patches

The fix was applied to version 0.125.1: https://github.com/dependabot/dependabot-core/pull/2727

Workarounds

Escape the branch name prior to passing it to the Dependabot::Source class.

For example using shellwords:

require "shellwords"
branch = Shellwords.escape("/$({curl,127.0.0.1})")
source = Dependabot::Source.new(
  provider: "github",
  repo: "repo/name",
  directory: "/",
  branch: branch,
)

Database specific

{
    "nvd_published_at": "2020-11-13T16:15:18Z",
    "cwe_ids": [
        "CWE-74"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-11-13T15:47:18Z"
}

References

Affected packages

RubyGems / dependabot-omnibus

Package

Name: dependabot-omnibus
Purl: pkg:gem/dependabot-omnibus

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.119.0.beta1

Fixed

0.125.1

Affected versions

0.*

0.119.0.beta1

0.119.0

0.119.1

0.119.2

0.119.3

0.119.4

0.119.5

0.119.6

0.120.0

0.120.1

0.120.2

0.120.3

0.120.4

0.120.5

0.121.0

0.121.1

0.122.0

0.122.1

0.123.0

0.123.1

0.124.0

0.124.1

0.124.2

0.124.3

0.124.4

0.124.5

0.124.6

0.124.7

0.124.8

0.125.0

RubyGems / dependabot-common