CVE-2025-30370

{"id": "CVE-2025-30370", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 6.0, "exploitabilityScore": 0.8}]}, "published": "2025-04-03T22:15:21.190", "references": [{"url": "https://github.com/jupyterlab/jupyterlab-git/blob/7eb3b06f0092223bd5494688ec264527bbeb2195/src/commandsAndMenu.tsx#L175-L184", "source": "security-advisories@github.com"}, {"url": "https://github.com/jupyterlab/jupyterlab-git/commit/b46482993f76d3a546015c6a94ebed8b77fc2376", "source": "security-advisories@github.com"}, {"url": "https://github.com/jupyterlab/jupyterlab-git/pull/1196", "source": "security-advisories@github.com"}, {"url": "https://github.com/jupyterlab/jupyterlab-git/security/advisories/GHSA-cj5w-8mjf-r5f8", "source": "security-advisories@github.com"}, {"url": "https://github.com/jupyterlab/jupyterlab-git/security/advisories/GHSA-cj5w-8mjf-r5f8", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "jupyterlab-git is a JupyterLab extension for version control using Git. On many platforms, a third party can create a Git repository under a name that includes a shell command substitution string in the syntax $(<command>). These directory names are allowed in macOS and a majority of Linux distributions. If a user starts jupyter-lab in a parent directory of this inappropriately-named Git repository, opens it, and clicks \"Git > Open Git Repository in Terminal\" from the menu bar, then the injected command <command> is run in the user's shell without the user's permission. This issue is occurring because when that menu entry is clicked, jupyterlab-git opens the terminal and runs cd <git-repo-path> through the shell to set the current directory. Doing so runs any command substitution strings present in the directory name, which leads to the command injection issue described here. A previous patch provided an incomplete fix. This vulnerability is fixed in 0.51.1."}, {"lang": "es", "value": "jupyterlab-git es una extensi\u00f3n de JupyterLab para el control de versiones mediante Git. En muchas plataformas, un tercero puede crear un repositorio Git con un nombre que incluya una cadena de sustituci\u00f3n de comandos de shell en la sintaxis $(). Estos nombres de directorio est\u00e1n permitidos en macOS y la mayor\u00eda de las distribuciones de Linux. Si un usuario inicia jupyter-lab en un directorio principal de este repositorio Git con un nombre inapropiado, lo abre y hace clic en \"Git &gt; Abrir repositorio Git en la terminal\" en la barra de men\u00fa, el comando inyectado se ejecuta en la shell del usuario sin su permiso. Este problema se produce porque, al hacer clic en esa entrada del men\u00fa, jupyterlab-git abre la terminal y ejecuta cd en la shell para establecer el directorio actual. Al hacerlo, se ejecuta cualquier cadena de sustituci\u00f3n de comandos presente en el nombre del directorio, lo que provoca el problema de inyecci\u00f3n de comandos descrito aqu\u00ed. Un parche anterior proporcion\u00f3 una soluci\u00f3n incompleta. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 0.51.1. "}], "lastModified": "2025-04-07T14:18:34.453", "sourceIdentifier": "security-advisories@github.com"}