GitForge.jl Path Traversal Vulnerability in GitHub Repository Access Function
Vulnerability
A vulnerability exists in GitForge.jl versions prior to 0.4.3 due to inadequate input validation in the GitForge.get_repo function for GitHub. Users can submit any string for the owner and repository fields, which are then sent directly to the server without proper validation or encoding. This flaw allows the inclusion of path traversal patterns, such as '../', to access unintended endpoints on api.github.com. Version 0.4.3 addresses this issue by implementing the necessary input validation. No workarounds are available.
Impact
Exploitation of this vulnerability could lead to unauthorized access to additional GitHub API endpoints that were not intended to be accessed, potentially allowing for further exploitation or data manipulation.
Remediation
Users are advised to upgrade to GitForge.jl version 0.4.3 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.