Remote Code Execution (RCE)

Affecting dependabot-omnibus gem, versions >=0.119.0.beta1, <0.125.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

dependabot-omnibus is an Automated dependency management

Affected versions of this package are vulnerable to Remote Code Execution (RCE) by cloning source branch containing malicious injectable bash code.

Remediation

Upgrade dependabot-omnibus to version 0.125.1 or higher.

References

CVSS Score

3.9
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    High
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L/E:P
Credit
Unknown
CVE
CVE-2020-26222
CWE
CWE-94
Snyk ID
SNYK-RUBY-DEPENDABOTOMNIBUS-1040429
Disclosed
13 Nov, 2020
Published
15 Nov, 2020