GHSA-cv5c-2qv5-w2m2: Passbolt Api Remote code execution
Passbolt provides a way for system administrators to generate a PGP key for the server during installation. The wizard requests a username, an e-mail address and an optional comment. No escaping or verification is done by Passbolt, effectively allowing a user to inject bash code.
The impact is very high, but the probability is very low given that this vulnerability can only be exploited during Passbolt’s installation stage.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/passbolt/passbolt_api/2019-02-11-1.yaml
- github.com/advisories/GHSA-cv5c-2qv5-w2m2
- github.com/passbolt/passbolt_api
- github.com/passbolt/passbolt_api/commit/be84671676ebac43d49e326a14f1afe259777611
- www.passbolt.com/incidents/20190211_multiple_vulnerabilities
Detect and mitigate GHSA-cv5c-2qv5-w2m2 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →