Command Injection

Affecting git-diff-apply package, versions <0.22.2

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

git-diff-apply is a package that can be used to reach an unrelated remote repository to apply a git diff.

Affected versions of this package are vulnerable to Command Injection. In "index.js" file, line 240, the run command executes the git command with an user controlled variable called remoteUrl.

PoC by JHU System Security Lab

var root = require("git-diff-apply");
var attack_code = "&touch Song&";
root({"remoteUrl": "&touch Song&", "startTag": "none"})

Remediation

Upgrade git-diff-apply to version 0.22.2 or higher.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Credit
JHU System Security Lab
CVE
CVE-2019-10776
CWE
CWE-78
Snyk ID
SNYK-JS-GITDIFFAPPLY-540774
Disclosed
06 Jan, 2020
Published
06 Jan, 2020