CVE-2022-24437 – git-pull-or-clone

Package

Manager: npm
Name: git-pull-or-clone
Vulnerable Version: >=0 <2.0.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.04104 pctl0.88152

Details

OS Command Injection in git-pull-or-clone The package git-pull-or-clone before 2.0.2 is vulnerable to Command Injection due to the use of the --upload-pack feature of git which is also supported for git clone. The source includes the use of the secure child process API spawn(). However, the outpath parameter passed to it may be a command-line argument to the git clone command and result in arbitrary command injection. ## Credits Credit @lirantal for discovering this vulnerability.

Metadata

Created: 2022-05-03T00:00:46Z
Modified: 2022-08-22T20:42:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3x62-x456-q2vm/GHSA-3x62-x456-q2vm.json
CWE IDs: ["CWE-77", "CWE-78"]
Alternative ID: GHSA-3x62-x456-q2vm
Finding: F404
Auto approve: 1