CVE-2016-7793 Sociomantic CVE debrief

Who should care

Administrators, developers, and CI/CD or automation operators using sociomantic-tsunami git-hub 0.10.2 or earlier should treat this as urgent, especially if the tool processes repository URLs from untrusted or user-controlled input.

Technical summary

The vulnerable condition is described as arbitrary code execution triggered through a crafted repository URL in git-hub before 0.10.3. NVD identifies affected versions through 0.10.2 and classifies the issue under CWE-284. The published CVSS vector shows network reachability, low attack complexity, no privileges required, and user interaction required, with potential confidentiality, integrity, and availability impact rated high.

Defensive priority

High. The combination of remote code execution potential, no privileges required, and high CIA impact makes this a priority upgrade and containment issue for any environment that uses the affected release line.

Recommended defensive actions

• Upgrade sociomantic-tsunami git-hub to 0.10.3 or later.
• Identify any systems, scripts, or pipelines that accept repository URLs and use git-hub before rollout.
• Restrict or validate repository URL inputs before they reach the vulnerable component.
• Review automation and build environments for exposure to untrusted repository URLs.
• Monitor for unexpected process execution or repository-fetch activity around the affected workflow.

Evidence notes

The supplied NVD record states: affected CPE range for sociomantic:git-hub through 0.10.2; vulnerability description: remote attackers can execute arbitrary code via a crafted repository URL; CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H; weakness CWE-284. Reference links in the record include an oss-security mailing list post, a SecurityFocus BID entry, and GitHub issue 197, all tagged by NVD as patch/advisory references.

Official resources