Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Affecting git-interface package, versions <2.1.2


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.24% (63rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-GITINTERFACE-2774028
  • published22 Apr 2022
  • disclosed22 Apr 2022
  • creditLiran Tal of Snyk

Introduced: 22 Apr 2022

CVE-2022-1440  (opens in a new tab)
CWE-88  (opens in a new tab)
First added by Snyk

How to fix?

Upgrade git-interface to version 2.1.2 or higher.

Overview

git-interface is an interface to work with a git repository in node.js

Affected versions of this package are vulnerable to Improper Neutralization of Argument Delimiters in a Command ('Argument Injection'). The API may be abused if user input is able to provide a valid directory on disk and supply the destination directory to clone a repository too. If both are provided by user input, then the use of a --upload-pack command line argument feature of git is also supported for git clone, which would then allow for any operating system command to be spawned by the attacker.

References

CVSS Scores

version 3.1