Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2020-26284

Published: 21 December 2020

Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround.

Priority

Medium

Cvss 3 Severity Score

8.5

Score breakdown

Status

Package Release Status
hugo
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(Only affects Windows)
focal Not vulnerable
(Only affects Windows)
groovy Ignored
(end of life)
hirsute Ignored
(end of life)
impish Not vulnerable
(Only affects Windows)
jammy Not vulnerable
(Only affects Windows)
kinetic Not vulnerable
(Only affects Windows)
lunar Not vulnerable
(0.102.3-1ubuntu1)
trusty Does not exist

upstream
Released (0.79.1-1)
xenial Not vulnerable
(Only affects Windows)

Severity score breakdown

Parameter Value
Base score 8.5
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Scope Changed
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H