RCE in Gitlabhook

CVE-2019-5485

NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name.

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.598 (99.0th percentile) — read the EPSS interpretation.

Affected products

N/a Gitlabhook — versions Not Fixed

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

hackerone.com/reports/685447 (x_refsource_MISC)
packetstormsecurity.com/files/154598/NPMJS-gitlabhook-0.0.17-Remote-Command-Exe… (x_refsource_MISC)