Improper Handling of Alternate Data Stream Affecting nodegit package, versions <0.26.3
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-NODEGIT-542722
- published 7 Jan 2020
- disclosed 10 Dec 2019
- credit Nicolas Joly, Garima Singh
Introduced: 10 Dec 2019
CVE-2019-1353 Open this link in a new tabHow to fix?
Upgrade nodegit
to version 0.26.3 or higher.
Overview
nodegit is a Node bindings to the libgit2 project.
Affected versions of this package are vulnerable to Improper Handling of Alternate Data Stream. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.
This vulnerability affects Git when running inside the Windows Subsystem for Linux and only when working on Windows drives where NTFS short names are enabled (which is the case, by default, for the system drive, i.e. C:
).
The exploit uses a directory named git~1
and it allows remote code execution during a regular git clone
.
For this reason, Git now turns on core.protectNTFS
by default, which is also required to address CVE-2019-1352.