GHSA-HXWM-X553-X359
Vulnerability from github – Published: 2021-08-05 17:07 – Updated: 2021-08-02 19:02Summary
There exists a command injection vulnerability in npmcli/git versions <2.0.8 which may result in arbitrary shell command execution due to improper argument sanitization when npmcli/git is used to execute Git commands based on user controlled input.
The impact of this issue is possible Arbitrary Command Injection when npmcli/git is run with untrusted (user controlled) Git command arguments.
Impact
Arbitrary Command Injection
Details
npmcli/git prior to release 2.0.8 passed user controlled input as arguments to a shell command without properly sanitizing this input. Passing unsanitized input to a shell can lead to arbitrary command injection. For example passing git+https://github.com/npm/git; echo hello world would trigger the shell execution of echo hello world.
This issue was remediated by no longer running npmcli/git git commands through an intermediate shell.
Patches
This issue has been patched in release 2.0.8
Acknowledgements
This report was reported to us by @tyage (Ierae Security) through the GitHub Bug Bounty Program.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@npmcli/git"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-02T19:02:32Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nThere exists a command injection vulnerability in `npmcli/git` versions \u003c2.0.8 which may result in arbitrary shell command execution due to improper argument sanitization when `npmcli/git` is used to execute Git commands based on user controlled input. \n\nThe impact of this issue is possible Arbitrary Command Injection when `npmcli/git` is run with untrusted (user controlled) Git command arguments. \n\n### Impact\n\nArbitrary Command Injection\n\n### Details\n\n`npmcli/git` prior to release `2.0.8` passed user controlled input as arguments to a shell command without properly sanitizing this input. Passing unsanitized input to a shell can lead to arbitrary command injection. For example passing `git+https://github.com/npm/git; echo hello world` would trigger the shell execution of `echo hello world`. \n\nThis issue was remediated by no longer running `npmcli/git` git commands through an intermediate shell.\n\n### Patches\n\nThis issue has been patched in release `2.0.8`\n\n### Acknowledgements\n\nThis report was reported to us by @tyage (Ierae Security) through the [GitHub Bug Bounty Program](https://bounty.github.com).\n",
"id": "GHSA-hxwm-x553-x359",
"modified": "2021-08-02T19:02:32Z",
"published": "2021-08-05T17:07:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/npm/git/security/advisories/GHSA-hxwm-x553-x359"
},
{
"type": "WEB",
"url": "https://github.com/npm/git/pull/29"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Arbitrary Command Injection due to Improper Command Sanitization"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.