Miggo Logo

CVE-2014-0177: Hub Package Arbitrary File Overwrite

4.4

CVSS Score
3.1

Basic Information

EPSS Score
0.34462%
Published
2/15/2022
Updated
11/8/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/github/hubgo< 1.12.11.12.1
hubrubygems< 1.12.11.12.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key functions:

  1. The am function in lib/hub/commands.rb directly handled temporary file creation using predictable names via File.join(tmp_dir, patch_name), making symlink attacks possible.
  2. The tmp_dir function in lib/hub/context.rb enforced use of insecure default directories like /tmp. The patch removed tmp_dir and replaced the file creation with Tempfile.new, which uses secure, non-predictable filenames. Both functions were explicitly modified in the security fix commit, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `*m` *un*tion in `li*/*u*/*omm*n*s.r*` in *u* ***or* *.**.* *llows lo**l us*rs to ov*rwrit* *r*itr*ry *il*s vi* * symlink *tt**k on * t*mpor*ry p*t** *il*.

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions: *. T** `*m` *un*tion in `li*/*u*/*omm*n*s.r*` *ir**tly **n*l** t*mpor*ry *il* *r**tion usin* pr**i*t**l* n*m*s vi* `*il*.join(tmp_*ir, p*t**_n*m*)`, m*kin* symlink *tt**ks possi*l*. *. T** `tmp_*ir` *un