CVE-2020-9708 MEDIUM

CVE-2020-9708: GHSL-2020-133: Insufficient validation of user input in resolveRepositoryPath function

Vendor Adobe
Product Helix
Weakness CWE-24
Published August 14, 2020
Last update September 16, 2024

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The resolveRepositoryPath function doesn't properly validate user input and a malicious user may traverse to any valid Git repository outside the repoRoot. This issue may lead to unauthorized access of private Git repositories as long as the malicious user knows or brute-forces the location of the repository.

Key dates

02Disclosure timeline

August 14, 2020 CVE published
September 16, 2024 Record updated