CVE-2015-8969: Shell Metacharacter Injection Arbitrary Command Execution

November 3, 2016 (updated November 28, 2016)

The library passes user modifiable strings directly to a shell command. An attacker can execute malicious commands by modifying the strings that are passed as arguments to cd and git clone commands in the library.

References

github.com/square/git-fastclone/pull/5
hackerone.com/reports/105190

Code Behaviors & Features

Detect and mitigate CVE-2015-8969 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →