{
  "schema_version": "1.4.0",
  "id": "GHSA-549f-73hh-mj38",
  "modified": "2023-06-01T19:46:39Z",
  "published": "2019-09-16T22:24:02Z",
  "aliases": [
    "CVE-2019-5485"
  ],
  "summary": "Command Injection in gitlabhook",
  "details": "All versions of `gitlabhook` are vulnerable to Command Injection. The package does not validate input the body of POST request and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system.\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "gitlabhook"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.17"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5485"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/685447"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/154598/NPMJS-gitlabhook-0.0.17-Remote-Command-Execution.html"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2019-09-16T22:23:36Z",
    "nvd_published_at": "2019-09-13T18:15:00Z"
  }
}