Skip to content

Command injection notice #1675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 11, 2025
Merged

Command injection notice #1675

merged 1 commit into from
Jul 11, 2025

Conversation

fdevans
Copy link
Contributor

@fdevans fdevans commented Jul 11, 2025

No description provided.

@fdevans fdevans added this to the 5.14.0 milestone Jul 11, 2025
@fdevans fdevans requested review from gschueler and Copilot July 11, 2025 01:33
Copilot
Copilot AI reviewed Jul 11, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces a new security advisory for a command injection vulnerability in job options due to incomplete escaping, and updates the CVE index to include it.

  • Added a new entry to the CVE index for the “Command Injection via Job Options” advisory
  • Created 2025-07-option-escaping.md with full advisory details

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
docs/history/cves/index.md Added new “Command Injection via Job Options” entry
docs/history/cves/2025-07-option-escaping.md New advisory document describing the escaping vulnerability
Comments suppressed due to low confidence (3)

docs/history/cves/index.md:16

  • [nitpick] The description uses "in" while the link title uses "via". Consider aligning this wording to "via" to match the advisory title and file name.
    Command Injection in Job Options Due to Incomplete Escaping

docs/history/cves/2025-07-option-escaping.md:6

  • [nitpick] The heading uses "in" but the advisory title and index entry use "via." Update this to "Command Injection via Job Options Due to Incomplete Escaping" for consistency.
## **Security Advisory: Command Injection in Job Options Due to Incomplete Escaping**

docs/history/cves/2025-07-option-escaping.md:14

  • [nitpick] Section headings are bolded here but other advisories typically use plain headings. Remove the extra bold formatting (e.g., change ## **Description** to ## Description) to match the established style.
## **Description**

@fdevans fdevans merged commit ede3ba4 into 4.0.x Jul 11, 2025
2 checks passed
@fdevans fdevans deleted the RUN-3575 branch July 11, 2025 02:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@gschueler gschueler gschueler approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
5.14.0
Development

Successfully merging this pull request may close these issues.
2 participants
@fdevans @gschueler