CVE-2019-10803: OS Command Injection

February 28, 2020 (updated March 3, 2020)

The package push-dir allows execution of arbritary commands. Arguments provided as part of the variable opt.branch are not validated before being provided to the git command within index.js#L139. This could be abused by an attacker to inject arbitrary commands.

References

nvd.nist.gov/vuln/detail/CVE-2019-10803

Detect and mitigate CVE-2019-10803 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →