GHSA-8j34-9876-pvfq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8j34-9876-pvfq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-8j34-9876-pvfq/GHSA-8j34-9876-pvfq.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-8j34-9876-pvfq
- Aliases
- Related
- Published
- 2021-06-23T17:28:26Z
- Modified
- 2024-09-11T06:12:44.178717Z
- Severity
-
- 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- Hugo can execute a binary from the current directory on Windows
- Details
-
Impact
Hugo depends on Go's
os/execfor certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system%PATH%on Windows. However, if a malicious file with the same name (exeorbat) is found in the current working directory at the time of runninghugo, the malicious command will be invoked instead of the system one.Windows users who run
hugoinside untrusted Hugo sites are affected.Patches
Users should upgrade to Hugo v0.79.1.
- Database specific
{ "nvd_published_at": "2020-12-21T23:15:00Z", "github_reviewed_at": "2021-05-21T18:15:45Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-78" ] }- References
Affected packages
Go / github.com/gohugoio/hugo
Package
- Name
- github.com/gohugoio/hugo
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/gohugoio/hugo