-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from improper command-line argument handling in HomarusController.php. The pre-patch code (1) interpolated the raw 'Authorization' header into a shell command string ($cmd_string) and (2) passed it to CmdExecuteService::execute(). This violates CWE-150/CWE-157 by failing to neutralize shell metacharacters in user input. The commit diff shows the fix replaced string concatenation with array-based argument passing (via Symfony's HeaderBag), a standard mitigation for command injection. The convert() method is the primary vulnerability point, while generateDerivativeResponse() enables execution.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| islandora/crayfish | composer | < 4.1.0 | 4.1.0 |