CVE-2019-5485 — CRITICAL (10.0)

Vulnerability Description

NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name.

CVSS Score

10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gitlabhook Project	Gitlabhook	0.0.17

Related Weaknesses (CWE)

CWE-78

References

http://packetstormsecurity.com/files/154598/NPMJS-gitlabhook-0.0.17-Remote-CommaExploitThird Party AdvisoryVDB Entry
https://hackerone.com/reports/685447ExploitThird Party Advisory
http://packetstormsecurity.com/files/154598/NPMJS-gitlabhook-0.0.17-Remote-CommaExploitThird Party AdvisoryVDB Entry
https://hackerone.com/reports/685447ExploitThird Party Advisory

FAQ

What is CVE-2019-5485?

CVE-2019-5485 is a vulnerability with a CVSS score of 10.0 (CRITICAL). NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name.

How severe is CVE-2019-5485?

CVE-2019-5485 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-5485?

Check the references section above for vendor advisories and patch information. Affected products include: Gitlabhook Project Gitlabhook.