CVE-2020-26284 - Vulnerability Details - OpenCVE

Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.0041.

Key SSVC decision points have not yet been added.

Vendors	Products
Gohugo	Hugo

Configuration 1 [-]

cpe:2.3:a:gohugo:hugo:*:*:*:*:*:windows:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq
https://github.com/golang/go/issues/38736

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-12-21T22:40:15

Updated: 2024-08-04T15:56:03.976Z

Reserved: 2020-10-01T00:00:00

Link: CVE-2020-26284

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-12-21T23:15:12.157

Modified: 2024-11-21T05:19:45.430

Link: CVE-2020-26284

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "hugo", "vendor": "gohugoio", "versions": [{"status": "affected", "version": "< 0.79.1"}]}], "descriptions": [{"lang": "en", "value": "Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-21T22:40:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/golang/go/issues/38736"}], "source": {"advisory": "GHSA-8j34-9876-pvfq", "discovery": "UNKNOWN"}, "title": "Hugo can execute a binary from the current directory on Windows", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-26284", "STATE": "PUBLIC", "TITLE": "Hugo can execute a binary from the current directory on Windows"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "hugo", "version": {"version_data": [{"version_value": "< 0.79.1"}]}}]}, "vendor_name": "gohugoio"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq", "refsource": "CONFIRM", "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"}, {"name": "https://github.com/golang/go/issues/38736", "refsource": "MISC", "url": "https://github.com/golang/go/issues/38736"}]}, "source": {"advisory": "GHSA-8j34-9876-pvfq", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:56:03.976Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/golang/go/issues/38736"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-26284", "datePublished": "2020-12-21T22:40:15", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:56:03.976Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gohugo:hugo:*:*:*:*:*:windows:*:*", "matchCriteriaId": "E9F3B098-63C6-44CD-A08B-876C6CBC8BDF", "versionEndExcluding": "0.79.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround."}, {"lang": "es", "value": "Hugo es un generador de sitios est\u00e1ticos r\u00e1pido y flexible integrado en Go. Hugo depende del \"os/exec\" de Go para determinadas funcionalidades por ejemplo, para la representaci\u00f3n de documentos Pandoc si estos binarios se encuentran en el sistema \"%PATH%\" en Windows. En Hugo anterior a versi\u00f3n 0.79.1, si un archivo malicioso con el mismo nombre (\"exe\" o \"bat\") se encuentra en el directorio de trabajo actual en el momento de ejecutar \"hugo\", el comando malicioso ser\u00e1 invocado en lugar del sistema. Los usuarios de Windows que ejecutan \"hugo\" dentro de sitios de Hugo no confiables est\u00e1n afectados. Los usuarios deben actualizar a Hugo versi\u00f3n v0.79.1. Aparte de evitar los sitios de Hugo que no confiables, no existe una soluci\u00f3n alternativa"}], "id": "CVE-2020-26284", "lastModified": "2024-11-21T05:19:45.430", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 8.5, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-21T23:15:12.157", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/golang/go/issues/38736"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/golang/go/issues/38736"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}