Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zeDYyLXg0NTYtcTJ2bc3X5w
OS Command Injection in git-pull-or-clone
The package git-pull-or-clone before 2.0.2 is vulnerable to Command Injection due to the use of the --upload-pack feature of git which is also supported for git clone. The source includes the use of the secure child process API spawn(). However, the outpath parameter passed to it may be a command-line argument to the git clone command and result in arbitrary command injection.
Credits
Credit @lirantal for discovering this vulnerability.
Permalink: https://github.com/advisories/GHSA-3x62-x456-q2vmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zeDYyLXg0NTYtcTJ2bc3X5w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-3x62-x456-q2vm, CVE-2022-24437
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-24437
- https://github.com/feross/git-pull-or-clone/commit/f9ce092be13cc32e685dfa26e7705e9c6e3108a3
- https://gist.github.com/lirantal/327e9dd32686991b5a1fa6341aac2e7b
- https://snyk.io/vuln/SNYK-JS-GITPULLORCLONE-2434307
- https://github.com/advisories/GHSA-3x62-x456-q2vm
Blast Radius: 14.3
Affected Packages
npm:git-pull-or-clone
Dependent packages: 56Dependent repositories: 29
Downloads: 750 last month
Affected Version Ranges: < 2.0.2
Fixed in: 2.0.2
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 2.0.0, 2.0.1
All unaffected versions: 2.0.2