CVE-2023-41057

Name of the Vulnerable Software and Affected Versions hyper-bump-it versions prior to 0.5.1

Description The issue arises from hyper-bump-it reading a file glob pattern from the configuration file and combining it with the project root directory to construct a full glob pattern. This pattern is used to find files that should be edited, but it does not check if the matched files are contained within the project root directory. As a result, changes could be written to files outside of the project. The default behavior of hyper-bump-it is to display planned changes and prompt the user for confirmation before editing any files. However, the configuration file provides a field that can be used to cause files to be edited without displaying the prompt.

Recommendations For versions prior to 0.5.1, upgrade to version 0.5.1 or later to resolve the issue. As a temporary workaround, execute hyper-bump-it with the --interactive command line argument to ensure that all planned changes are displayed and the user is prompted for confirmation before editing any files, even if the configuration file contains show confirm prompt=true.