CVE-2022-24437 Information

Description

The package git-pull-or-clone before 2.0.2 are vulnerable to Command Injection due to the use of the –upload-pack feature of git which is also supported for git clone. The source includes the use of the secure child process API spawn(). However the outpath parameter passed to it may be a command-line argument to the git clone command and result in arbitrary command injection.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://gist.github.com/lirantal/327e9dd32686991b5a1fa6341aac2e7b https://github.com/feross/git-pull-or-clone/commit/f9ce092be13cc32e685dfa26e7705e9c6e3108a3 https://snyk.io/vuln/SNYK-JS-GITPULLORCLONE-2434307

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8