CVE Vulnerability

CVE-2022-1440

Command Injection vulnerability in git-interface@2.1.1 in GitHub repository yarkeev/git-interface prior to 2.1.2. If both are provided by user input, then the use of a `--upload-pack` command-line argument feature of git is also supported for `git clone`, which would then allow for any operating system command to be spawned by the attacker.

10 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/yarkeev/git-interface/commit/f828aa790016fee3aa667f7b44cf94bf0aa8c60d Patch Third Party Advisory
https://huntr.dev/bounties/cdc25408-d3c1-4a9d-bb45-33b12a715ca1 Exploit Mitigation
Configurations

Configuration 1

cpe:2.3:a:git-interface_project:git-interface:*:*:*:*:*:node.js:*:*
Information

Published : 2022-04-22 06:15

Updated : 2022-05-04 04:27

NVD link : CVE-2022-1440

Mitre link : CVE-2022-1440

Products Affected
No products.
CWE
CWE-78