Improper Handling of Alternate Data Stream

Affecting org.webjars.npm:nodegit artifact, versions [0,]

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.webjars.npm:nodegit is a Node bindings to the libgit2 project.

Affected versions of this package are vulnerable to Improper Handling of Alternate Data Stream. Git was unaware of NTFS Alternate Data Streams, allowing files inside the .git/ directory to be overwritten during a clone.

While the description contains "NTFS", this vulnerability can not only be exploited on Windows, but also on macOS when working on smb://-mounted network shares. The exploit involves naming a directory .git::$INDEX_ALLOCATION, allowing remote code execution during a regular git clone.

The fix for this CVE requires the fix for CVE-2019-1353.

Remediation

There is no fixed version for org.webjars.npm:nodegit.

References

CVSS Score

8.9
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    Low
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H/E:F/RL:O/RC:C
Credit
Unknown
CVE
CVE-2019-1352
CWE
CWE-69
Snyk ID
SNYK-JAVA-ORGWEBJARSNPM-542727
Disclosed
10 Dec, 2019
Published
07 Jan, 2020