Critical severityNVD Advisory· Published May 16, 2024· Updated Apr 15, 2026
CVE-2024-5023
CVE-2024-5023
Description
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Netflix ConsoleMe allows Command Injection.This issue affects ConsoleMe: before 1.4.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
consolemePyPI | < 1.4.0 | 1.4.0 |
Patches
13 files changed · +28 −4
consoleme/lib/scm/git/__init__.py+1 −0 modified@@ -27,6 +27,7 @@ async def clone(self, no_checkout=True, depth: Optional[int] = None): await sync_to_async(git.Git(self.tempdir).clone)(*args, **kwargs) self.repo = git.Repo(os.path.join(self.tempdir, self.repo_name)) self.repo.config_writer().set_value("user", "name", "ConsoleMe").release() + self.repo.config_writer().set_value("core", "symlinks", "false").release() if self.git_email: self.repo.config_writer().set_value( "user", "email", self.git_email
consoleme/lib/templated_resources/requests.py+26 −4 modified@@ -1,5 +1,8 @@ import io import json +import os +import random +import string import time from ruamel.yaml.comments import CommentedSeq @@ -30,7 +33,10 @@ async def generate_honeybee_request_from_change_model_array( repositories_for_request = {} primary_principal = None t = int(time.time()) - generated_branch_name = f"{user}-{t}" + suffix = "".join( + random.choices(string.ascii_lowercase + string.digits, k=10) # nosec + ) + generated_branch_name = f"{user}-{t}-{suffix}" policy_name = config.get( "generate_honeybee_request_from_change_model_array.policy_name", "self_service_generated", @@ -78,10 +84,26 @@ async def generate_honeybee_request_from_change_model_array( main_branch_name = repositories_for_request[change.principal.repository_name][ "main_branch_name" ] - git_client.checkout( - f"origin/{main_branch_name}", change.principal.resource_identifier + + change_file_path = os.path.abspath( + f"{repo.working_dir}/{change.principal.resource_identifier}" ) - change_file_path = f"{repo.working_dir}/{change.principal.resource_identifier}" + clone_wd_path = os.path.abspath(repo.working_dir) + if os.path.commonprefix((clone_wd_path, change_file_path)) != clone_wd_path: + log.exception( + f"User attempted to reference a file outside of the repository: {change_file_path} is not within {clone_wd_path}" + ) + raise ValueError("Unable to raise change request for this resource") + + try: + git_client.checkout( + f"origin/{main_branch_name}", "--", change.principal.resource_identifier + ) + except Exception: + log.exception( + f"Unable to checkout {main_branch_name} for {change.principal.resource_identifier}" + ) + raise ValueError("Unable to raise change request for this resource") with open(change_file_path, "r") as f: yaml_content = yaml.load(f)
tests/handlers/v2/test_requests.py+1 −0 modified@@ -718,6 +718,7 @@ def test_post_honeybee_request_dry_run(self, mock_git, mock_repo): - '*' Sid: admin""" with patch("builtins.open", mock_open(read_data=template_data)): + mock_repo.return_value.working_dir = "/tmp" response = self.fetch( "/api/v2/request", method="POST",
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-3783-62vc-jr7xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-5023ghsaADVISORY
- github.com/Netflix/consoleme/commit/2795a2bd553938a21c0643b37452971625ce67f5ghsaWEB
- github.com/Netflix/consoleme/pull/9380ghsaWEB
- github.com/Netflix/consoleme/security/advisories/GHSA-3783-62vc-jr7xghsaWEB
- github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-002.mdnvdWEB
News mentions
0No linked articles in our index yet.