GHSA-23F7-99JX-M54R

Vulnerability from github – Published: 2020-11-13 15:47 – Updated: 2023-05-16 16:04
VLAI?
Summary
Remote code execution in dependabot-core branch names when cloning
Details

Impact

Remote code execution vulnerability in dependabot-common and dependabot-go_modules when a source branch name contains malicious injectable bash code.

For example, if Dependabot is configured to use the following source branch name: "/$({curl,127.0.0.1})", Dependabot will make a HTTP request to the following URL: 127.0.0.1 when cloning the source repository.

When Dependabot is configured to clone the source repository during an update, Dependabot runs a shell command to git clone the repository:

git clone --no-tags --no-recurse-submodules --depth=1 --branch=<BRANCH> --single-branch <GITHUB_REPO_URL> repo/contents/path

Dependabot will always clone the source repository for go_modules during the file fetching step and can be configured to clone the repository for other package managers using the FileFetcher class from dependabot-common.

source = Dependabot::Source.new(
  provider: "github",
  repo: "repo/name",
  directory: "/",
  branch: "/$({curl,127.0.0.1})",
)

repo_contents_path = "./file/path"
fetcher = Dependabot::FileFetchers.for_package_manager("bundler").
                  new(source: source, credentials: [],
                  repo_contents_path: repo_contents_path)
fetcher.clone_repo_contents

Patches

The fix was applied to version 0.125.1: https://github.com/dependabot/dependabot-core/pull/2727

Workarounds

Escape the branch name prior to passing it to the Dependabot::Source class.

For example using shellwords:

require "shellwords"
branch = Shellwords.escape("/$({curl,127.0.0.1})")
source = Dependabot::Source.new(
  provider: "github",
  repo: "repo/name",
  directory: "/",
  branch: branch,
)
Severity ?
8.7 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "dependabot-omnibus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.119.0.beta1"
            },
            {
              "fixed": "0.125.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "dependabot-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.119.0.beta1"
            },
            {
              "fixed": "0.125.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26222"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-11-13T15:47:18Z",
    "nvd_published_at": "2020-11-13T16:15:18Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nRemote code execution vulnerability in `dependabot-common` and  `dependabot-go_modules` when a source branch name contains malicious injectable bash code.\n\nFor example, if Dependabot is configured to use the following source branch name: `\"/$({curl,127.0.0.1})\"`, Dependabot will make a HTTP request to the following URL: 127.0.0.1 when cloning the source repository.\n\nWhen Dependabot is configured to clone the source repository during an update, Dependabot runs a shell command to git clone the repository:\n\n```bash\ngit clone --no-tags --no-recurse-submodules --depth=1 --branch=\u003cBRANCH\u003e --single-branch \u003cGITHUB_REPO_URL\u003e repo/contents/path\n```\n\nDependabot will always clone the source repository for `go_modules` during the file fetching step and can be configured to clone the repository for other package managers using the `FileFetcher` class from `dependabot-common`.\n\n```ruby\nsource = Dependabot::Source.new(\n  provider: \"github\",\n  repo: \"repo/name\",\n  directory: \"/\",\n  branch: \"/$({curl,127.0.0.1})\",\n)\n\nrepo_contents_path = \"./file/path\"\nfetcher = Dependabot::FileFetchers.for_package_manager(\"bundler\").\n                  new(source: source, credentials: [],\n                  repo_contents_path: repo_contents_path)\nfetcher.clone_repo_contents\n```\n\n### Patches\n\nThe fix was applied to version `0.125.1`: https://github.com/dependabot/dependabot-core/pull/2727\n\n### Workarounds\nEscape the branch name prior to passing it to the `Dependabot::Source` class.\n\nFor example using `shellwords`:\n\n```ruby\nrequire \"shellwords\"\nbranch = Shellwords.escape(\"/$({curl,127.0.0.1})\")\nsource = Dependabot::Source.new(\n  provider: \"github\",\n  repo: \"repo/name\",\n  directory: \"/\",\n  branch: branch,\n)\n```",
  "id": "GHSA-23f7-99jx-m54r",
  "modified": "2023-05-16T16:04:56Z",
  "published": "2020-11-13T15:47:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dependabot/dependabot-core/security/advisories/GHSA-23f7-99jx-m54r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26222"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dependabot/dependabot-core/pull/2727"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dependabot/dependabot-core/commit/e089116abbe284425b976f7920e502b8e83a61b5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dependabot/dependabot-core"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/dependabot-common/CVE-2020-26222.yml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/dependabot-omnibus/CVE-2020-26222.yml"
    },
    {
      "type": "WEB",
      "url": "https://rubygems.org/gems/dependabot-common"
    },
    {
      "type": "WEB",
      "url": "https://rubygems.org/gems/dependabot-omnibus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Remote code execution in dependabot-core branch names when cloning"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.