NodeJS/hubot-scripts/2.0.3

Allows you to opt in to a variety of scripts

https://www.npmjs.com/package/hubot-scripts
MIT

2 Security Vulnerabilities

Potential Command Injection in hubot-scripts

Published date: 2020-08-31T22:46:38Z
CVE: CVE-2013-7378
Links:

Versions 2.4.3 and earlier of hubot-scripts are vulnerable to a command injection vulnerablity in the hubot-scripts/package/src/scripts/email.coffee module.

Mitigating Factors

The email script is not enabled by default, it has to be manually added to hubot's list of loaded scripts.

Recommendation

Update hubot-scripts to version 2.4.4 or later.

Affected versions: ["1.0.3", "1.0.4", "1.1.1", "1.1.3", "1.1.4", "1.1.7", "1.1.8", "2.0.2", "2.0.3", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.2.0", "2.2.1", "2.4.0", "2.4.2", "2.4.3", "1.0.0", "1.1.0", "1.1.2", "1.1.5", "1.1.6", "2.0.1", "2.0.4", "2.0.8", "2.1.2", "2.1.3", "2.2.2", "2.0.7", "2.4.1"]
Secure versions: [2.16.0, 2.16.1, 2.16.2, 2.17.0, 2.17.1, 2.17.2, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.5.0, 2.5.1, 2.5.11, 2.5.12, 2.5.13, 2.5.14, 2.5.15, 2.5.16, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 3.0.0-beta1, 3.0.0-beta3, 3.0.1-beta1]
Recommendation: Update to version 2.17.2.

Potential Command Injection

Published date: 2013-05-15
CVEs: ["CVE-2013-7378"]
CVSS Score: 4.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Coordinating vendor: ^Lift Security

Untrusted input passed in to the hubot-scripts/package/src/scripts/email.coffee module can allow for command injection. This may be unexpected behavior for the caller.

Mitigating Factors

The email script is not enabled by default, it has to be manually added to hubot's list of loaded scripts.

Affected versions: ["1.0.0", "1.0.3", "1.0.4", "1.1.0", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.1.7", "1.1.8", "2.0.1", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.8", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.2.0", "2.2.1", "2.2.2", "2.0.7", "2.4.0", "2.4.1", "2.4.2", "2.4.3", "NodeJS/hubot-scripts/1.0.3", "NodeJS/hubot-scripts/1.0.4", "NodeJS/hubot-scripts/1.1.1", "NodeJS/hubot-scripts/1.1.3", "NodeJS/hubot-scripts/1.1.4", "NodeJS/hubot-scripts/1.1.7", "NodeJS/hubot-scripts/1.1.8", "NodeJS/hubot-scripts/2.0.2", "NodeJS/hubot-scripts/2.0.3", "NodeJS/hubot-scripts/2.0.5", "NodeJS/hubot-scripts/2.0.6", "NodeJS/hubot-scripts/2.1.0", "NodeJS/hubot-scripts/2.1.1", "NodeJS/hubot-scripts/2.2.0", "NodeJS/hubot-scripts/2.2.1", "NodeJS/hubot-scripts/2.4.0", "NodeJS/hubot-scripts/2.4.2", "NodeJS/hubot-scripts/2.4.3", "NodeJS/hubot-scripts/1.0.0", "NodeJS/hubot-scripts/1.1.0", "NodeJS/hubot-scripts/1.1.2", "NodeJS/hubot-scripts/1.1.5", "NodeJS/hubot-scripts/1.1.6", "NodeJS/hubot-scripts/2.0.1", "NodeJS/hubot-scripts/2.0.4", "NodeJS/hubot-scripts/2.0.8", "NodeJS/hubot-scripts/2.1.2", "NodeJS/hubot-scripts/2.1.3", "NodeJS/hubot-scripts/2.2.2", "NodeJS/hubot-scripts/2.0.7", "NodeJS/hubot-scripts/2.4.1"]
Secure versions: [2.16.0, 2.16.1, 2.16.2, 2.17.0, 2.17.1, 2.17.2, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.5.0, 2.5.1, 2.5.11, 2.5.12, 2.5.13, 2.5.14, 2.5.15, 2.5.16, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 3.0.0-beta1, 3.0.0-beta3, 3.0.1-beta1]
Recommendation: A new version containing a fix has yet to be pushed to NPM. Use the version located at https://github.com/github/hubot-scripts/ until version 2.4.4 comes out.

60 Other Versions

Version License Security Released
1.1.6 MIT 2 2011-11-02 - 22:53 over 13 years
1.1.5 MIT 2 2011-10-31 - 19:22 over 13 years
1.1.4 MIT 2 2011-10-29 - 22:56 over 13 years
1.1.3 MIT 2 2011-10-28 - 08:41 over 13 years
1.1.2 MIT 2 2011-10-28 - 06:27 over 13 years
1.1.1 MIT 2 2011-10-28 - 05:08 over 13 years
1.1.0 MIT 2 2011-10-27 - 21:34 over 13 years
1.0.4 MIT 2 2011-10-26 - 05:49 over 13 years
1.0.3 MIT 2 2011-10-26 - 00:41 over 13 years
1.0.0 MIT 2 2011-10-25 - 18:23 over 13 years