Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download

issues
advisories
todo
stats
log
login

CVE-2020-26284 - log back

CVE-2020-26284 edited at 22 Dec 2020 11:10:17

Severity

-	Unknown
+	Medium

Remote

-	Unknown
+	Local

Type

-	Unknown
+	Arbitrary command execution

Description

+

A security issue was found in Hugo on the Windows platform before version 0.79.1. Hugo depends on Go's os/exec for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system %PATH% on Windows. However, if a malicious file with the same name (exe or bat) is found in the current working directory at the time of running hugo, the malicious command will be invoked instead of the system one.

References

+	https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq
+	https://github.com/golang/go/issues/38736
+	https://github.com/gohugoio/hugo/commit/4a8267d64a40564aced0695bca05249da17b0eab

Notes

CVE-2020-26284 created at 22 Dec 2020 11:06:48