CVE-2020-26284

{"id": "CVE-2020-26284", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 8.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.8}]}, "published": "2020-12-21T23:15:12.157", "references": [{"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/golang/go/issues/38736", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/golang/go/issues/38736", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround."}, {"lang": "es", "value": "Hugo es un generador de sitios est\u00e1ticos r\u00e1pido y flexible integrado en Go. Hugo depende del \"os/exec\" de Go para determinadas funcionalidades por ejemplo, para la representaci\u00f3n de documentos Pandoc si estos binarios se encuentran en el sistema \"%PATH%\" en Windows. En Hugo anterior a versi\u00f3n 0.79.1, si un archivo malicioso con el mismo nombre (\"exe\" o \"bat\") se encuentra en el directorio de trabajo actual en el momento de ejecutar \"hugo\", el comando malicioso ser\u00e1 invocado en lugar del sistema. Los usuarios de Windows que ejecutan \"hugo\" dentro de sitios de Hugo no confiables est\u00e1n afectados. Los usuarios deben actualizar a Hugo versi\u00f3n v0.79.1. Aparte de evitar los sitios de Hugo que no confiables, no existe una soluci\u00f3n alternativa"}], "lastModified": "2024-11-21T05:19:45.430", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gohugo:hugo:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "E9F3B098-63C6-44CD-A08B-876C6CBC8BDF", "versionEndExcluding": "0.79.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}