漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Galaxy_ng: shell injection in legacy role import via unsanitized git ref names
Vulnerability Description
A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
Ansible Galaxy NG 命令注入漏洞
Vulnerability Description
Galaxy NG是美国Ansible公司开源的新一代后端服务。 Ansible Galaxy NG存在命令注入漏洞,该漏洞源于galaxy_ng中do_git_checkout()函数将未经过清理的git ref名称插入shell命令,可能导致经过身份验证的用户通过创建包含shell元字符的分支或标签实现在pulp worker上远程执行代码。
CVSS Information
N/A
Vulnerability Type
N/A