Command Injection Affecting git-interface Open this link in a new tab package, versions <2.1.2


0.0
critical
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    Low

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JS-GITINTERFACE-2774028

  • published

    22 Apr 2022

  • disclosed

    22 Apr 2022

  • credit

    Liran Tal of Snyk

How to fix?

Upgrade git-interface to version 2.1.2 or higher.

Overview

git-interface is an interface to work with a git repository in node.js

Affected versions of this package are vulnerable to Command Injection. The API may be abused if user input is able to provide a valid directory on disk and supply the destination directory to clone a repository too. If both are provided by user input, then the use of a --upload-pack command line argument feature of git is also supported for git clone, which would then allow for any operating system command to be spawned by the attacker.

References