Description

The package ungit before 1.5.20 are vulnerable to Remote Code Execution (RCE) via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values (remote and ref) are passed to the git fetch command. By injecting some git options it was possible to get arbitrary command execution.

Remediation

References

https://github.com/FredrikNoren/ungit/pull/1510

https://snyk.io/vuln/SNYK-JS-UNGIT-2414099

https://github.com/FredrikNoren/ungit/blob/master/CHANGELOG.md%231520

Related Vulnerabilities

CVE-2020-28272 Vulnerability in npm package keyget

CVE-2021-21346 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2015-6584 Vulnerability in maven package org.webjars.npm:datatables

CVE-2020-7609 Vulnerability in npm package node-rules

CVE-2017-16121 Vulnerability in npm package datachannel-client

Severity

Critical

Classification

CWE-88 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Patch Third Party Advisory Release Notes Broken Link