Command Injection Affecting git-interface Open this link in a new tab package, versions <2.1.2

Exploit Maturity

Proof of concept
Attack Complexity

Low
Confidentiality

High
Integrity

High
Availability

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-JS-GITINTERFACE-2774028
published

22 Apr 2022
disclosed

22 Apr 2022
credit

Liran Tal of Snyk

Report a new vulnerability Found a mistake?

Introduced: 22 Apr 2022

CVE-2022-1440 Open this link in a new tab CWE-78 Open this link in a new tab First added by Snyk

How to fix?

Upgrade git-interface to version 2.1.2 or higher.

Overview

git-interface is an interface to work with a git repository in node.js

Affected versions of this package are vulnerable to Command Injection. The API may be abused if user input is able to provide a valid directory on disk and supply the destination directory to clone a repository too. If both are provided by user input, then the use of a --upload-pack command line argument feature of git is also supported for git clone, which would then allow for any operating system command to be spawned by the attacker.

References

GitHub Gist

Command Injection Affecting git-interface Open this link in a new tab package, versions <2.1.2

Exploit Maturity

Attack Complexity

Confidentiality

Integrity

Availability

snyk-id

published

disclosed

credit

Introduced: 22 Apr 2022

How to fix?

Overview

References