Homepage
About Snyk

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Affecting git-interface package, versions <2.1.2

Severity

 Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.27% (69th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-GITINTERFACE-2774028
  • published 22 Apr 2022
  • disclosed 22 Apr 2022
  • credit Liran Tal of Snyk
Report a new vulnerability Found a mistake?

Introduced: 22 Apr 2022

CVE-2022-1440 Open this link in a new tab
CWE-88 Open this link in a new tab
First added by Snyk

How to fix?

Upgrade git-interface to version 2.1.2 or higher.

Overview

git-interface is an interface to work with a git repository in node.js

Affected versions of this package are vulnerable to Improper Neutralization of Argument Delimiters in a Command ('Argument Injection'). The API may be abused if user input is able to provide a valid directory on disk and supply the destination directory to clone a repository too. If both are provided by user input, then the use of a --upload-pack command line argument feature of git is also supported for git clone, which would then allow for any operating system command to be spawned by the attacker.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
9.8 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

9.8 critical