0x5t4l1n/CVE
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/CVE.git synced 2026-05-26 19:26:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
cf6946769cbd82df9eb7501cf3094cd1709b9f50
CVE/reported/CVE-2026-45152.md
T
Stalin cf6946769c Create CVE-2026-45152.md
2026-05-12 18:30:04 +05:30

81 lines
2.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
![CVE](https://img.shields.io/badge/CVE-2026--45152-red)
# CVE-2026-45152 — uniget Command Injection via Unsafe `tool.Check` Execution
> CVE-2026-45152 has been officially published by GitHub Security Advisories.
## Overview
A command injection vulnerability exists in uniget due to unsafe execution of the `check` field from metadata files using `/bin/bash -c`. Because the `check` field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes arbitrary shell commands on the victims system.
**CVE ID:** CVE-2026-45152
**Affected Version:** uniget CLI ≤ 0.27.0
**Fixed In:** uniget CLI 0.27.1
**Severity:** High
**CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
---
## Description
The vulnerability exists in the `RunVersionCheck()` function, where uniget executes the `tool.Check` field using `/bin/bash -c`.
Because metadata files are parsed directly into the `Tool` structure using `json.Unmarshal()`, attacker-controlled input can reach the shell execution sink without validation.
The following vulnerable pattern was identified:
```go
cmd := exec.Command("/bin/bash", "-c", tool.Check+" | tr -d '\n'")
```
Since `/bin/bash -c` interprets shell metacharacters such as `;`, `&&`, `|`, `$()`, and backticks, arbitrary shell commands may be injected and executed.
---
## Impact
An attacker processing malicious metadata may be able to:
* Execute arbitrary shell commands
* Exfiltrate sensitive files or environment variables
* Install malware or backdoors
* Modify or delete accessible files
* Establish persistence on the victim machine
* Compromise CI/CD environments using uniget automation
Commands execute with the privileges of the user running uniget.
---
## Preconditions
* The victim must process attacker-controlled metadata files.
* The vulnerable uniget version must invoke the `tool.Check` field through `/bin/bash -c`.
* The attacker must be able to supply malicious metadata containing shell metacharacters.
---
## Workarounds
* Avoid using `/bin/bash -c` with untrusted input.
* Sanitize or strictly validate metadata fields before execution.
* Execute fixed binaries and arguments directly without invoking a shell.
* Run uniget in isolated or low-privilege environments when processing untrusted metadata.
---
## References
* https://github.com/uniget-org/cli/security/advisories/GHSA-qqq4-5773-pmw5
---
## Discoverer
**Stalin S** ([@0x5t4l1n](https://github.com/0x5t4l1n))
Reference in New Issue View Git Blame Copy Permalink