Command Injection Affecting git-diff-apply package, versions <0.22.2
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.56% (78th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-GITDIFFAPPLY-540774
- published 6 Jan 2020
- disclosed 6 Jan 2020
- credit JHU System Security Lab
Introduced: 6 Jan 2020
CVE-2019-10776 Open this link in a new tabHow to fix?
Upgrade git-diff-apply
to version 0.22.2 or higher.
Overview
git-diff-apply is a package that can be used to reach an unrelated remote repository to apply a git diff.
Affected versions of this package are vulnerable to Command Injection. In "index.js" file, line 240, the run
command executes the git
command with an user controlled variable called remoteUrl
.
PoC by JHU System Security Lab
var root = require("git-diff-apply");
var attack_code = "&touch Song&";
root({"remoteUrl": "&touch Song&", "startTag": "none"})