Skip to content

Command Injection in git-tags-remote

High severity GitHub Reviewed Published Jul 29, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm git-tags-remote (npm)

Affected versions

< 1.0.4

Patched versions

1.0.4

Description

All versions of git-tags-remote are vulnerable to Command Injection. The package fails to sanitize the repository input and passes it directly to an exec call on the get function . This may allow attackers to execute arbitrary code in the system if the repo value passed to the function is user-controlled.

The following proof-of-concept creates a file in /tmp:

const gitTagsRemote = require('git-tags-remote');

gitTagsRemote.get('https://github.com/sh0ji/git-tags-remote.git; echo "Injection Success" > /tmp/command-injection.test')
.then(tags => console.log(tags));

References

Reviewed Jul 29, 2020
Published to the GitHub Advisory Database Jul 29, 2020
Last updated Jan 9, 2023

Severity

High
7.2
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-gm9x-q798-hmr4

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.