CVE-2022-1440

Опубликовано: 22 апр. 2022

Источник: nvd

CVSS3: 9.8

CVSS2: 10

EPSS Низкий

Описание

Command Injection vulnerability in git-interface@2.1.1 in GitHub repository yarkeev/git-interface prior to 2.1.2. If both are provided by user input, then the use of a --upload-pack command-line argument feature of git is also supported for git clone, which would then allow for any operating system command to be spawned by the attacker.

Ссылки

https://github.com/yarkeev/git-interface/commit/f828aa790016fee3aa667f7b44cf94bf0aa8c60d
Patch
Third Party Advisory
https://huntr.dev/bounties/cdc25408-d3c1-4a9d-bb45-33b12a715ca1
Exploit
Mitigation
Third Party Advisory
https://github.com/yarkeev/git-interface/commit/f828aa790016fee3aa667f7b44cf94bf0aa8c60d
Patch
Third Party Advisory
https://huntr.dev/bounties/cdc25408-d3c1-4a9d-bb45-33b12a715ca1
Exploit
Mitigation
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:git-interface_project:git-interface:*:*:*:*:*:node.js:*:*

Версия до 2.1.2 (исключая)

EPSS

Процентиль: 93%

0.09406

Низкий

9.8 Critical

CVSS3

9.8 Critical

CVSS3

10 Critical

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-qffw-8wg7-h665

CVSS3: 9.8

github

почти 4 года назад

Command injection in git-interface

EPSS

Процентиль: 93%

0.09406

Низкий

9.8 Critical

CVSS3

9.8 Critical

CVSS3

10 Critical

CVSS2

Дефекты

CWE-78