Lucene search

GitHub Advisory DatabaseGHSA-X5M6-JH4R-34MV

HistoryFeb 15, 2022 - 1:07 a.m.

Hub Package Arbitrary File Overwrite

2022-02-1501:07:53

CWE-377

GitHub Advisory Database

github.com

arbitrary file overwrite

symlink attack

temporary patch file

hub 1.12.1

local users

commands.rb

software security

CVSS2

3.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:P/A:P

EPSS

Percentile

5.1%

JSON

The am function in lib/hub/commands.rb in hub before 1.12.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary patch file.

Affected configurations

Vulners

Node

hubRange<1.12.1

githubhubRange<1.12.1

VendorProductVersionCPE
*hub*cpe:2.3:a:*:hub:*:*:*:*:*:*:*:*
githubhub*cpe:2.3:a:github:hub:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	hub	*	cpe:2.3:a::hub::::::::*
github	hub	*	cpe:2.3:a:github:hub::::::::

References

github.com/advisories/GHSA-x5m6-jh4r-34mv

github.com/github/hub/commit/016ec99d25b1cb83cb4367e541177aa431beb600

github.com/mislav/hub/commit/016ec99d25b1cb83cb4367e541177aa431beb600

github.com/mislav/hub/releases/tag/v1.12.1

github.com/rubysec/ruby-advisory-db/blob/master/gems/hub/CVE-2014-0177.yml

nvd.nist.gov/vuln/detail/CVE-2014-0177

CVSS2

3.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:P/A:P

EPSS

Percentile

5.1%

JSON

Related for GHSA-X5M6-JH4R-34MV