Improper Handling of Alternate Data Stream Affecting nodegit package, versions <0.26.3


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.38% (73rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-NODEGIT-542722
  • published7 Jan 2020
  • disclosed10 Dec 2019
  • creditNicolas Joly, Garima Singh

Introduced: 10 Dec 2019

CVE-2019-1353  (opens in a new tab)
CWE-69  (opens in a new tab)

How to fix?

Upgrade nodegit to version 0.26.3 or higher.

Overview

nodegit is a Node bindings to the libgit2 project.

Affected versions of this package are vulnerable to Improper Handling of Alternate Data Stream. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.

This vulnerability affects Git when running inside the Windows Subsystem for Linux and only when working on Windows drives where NTFS short names are enabled (which is the case, by default, for the system drive, i.e. C:).

The exploit uses a directory named git~1 and it allows remote code execution during a regular git clone.

For this reason, Git now turns on core.protectNTFS by default, which is also required to address CVE-2019-1352.

CVSS Scores

version 3.1