Homepage
About Snyk

Improper Handling of Alternate Data Stream Affecting org.webjars.npm:nodegit package, versions [0,]

0.0
high

Snyk CVSS

    Attack Complexity High
    Scope Changed
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 0.44% (75th percentile)
Expand this section
NVD
9.8 critical
Expand this section
SUSE
9.8 critical
Expand this section
Red Hat
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGWEBJARSNPM-542725
  • published 7 Jan 2020
  • disclosed 10 Dec 2019
  • credit Nicolas Joly, Garima Singh
Report a new vulnerability Found a mistake?

Introduced: 10 Dec 2019

CVE-2019-1353 Open this link in a new tab
CWE-69 Open this link in a new tab

How to fix?

There is no fixed version for org.webjars.npm:nodegit.

Overview

org.webjars.npm:nodegit is a Node bindings to the libgit2 project.

Affected versions of this package are vulnerable to Improper Handling of Alternate Data Stream. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.

This vulnerability affects Git when running inside the Windows Subsystem for Linux and only when working on Windows drives where NTFS short names are enabled (which is the case, by default, for the system drive, i.e. C:).

The exploit uses a directory named git~1 and it allows remote code execution during a regular git clone.

For this reason, Git now turns on core.protectNTFS by default, which is also required to address CVE-2019-1352.