CVE-2022-1440

Published: Apr 22, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Command Injection vulnerability in git-interface@2.1.1 in GitHub repository yarkeev/git-interface prior to 2.1.2. If both are provided by user input, then the use of a `--upload-pack` command-line argument feature of git is also supported for `git clone`, which would then allow for any operating system command to be spawned by the attacker.

Affected (1)

Products: Git Interface Project: Git Interface

Git Interface Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Git Interface Project Git Interface	Before 2.1.2

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

https://github.com/yarkeev/git-interface/commit/f828aa790016fee3aa667f7b44cf94bf0aa8c60d

Source: security@huntr.dev

PatchThird Party Advisory

https://huntr.dev/bounties/cdc25408-d3c1-4a9d-bb45-33b12a715ca1

Source: security@huntr.dev

ExploitMitigationThird Party Advisory

https://github.com/yarkeev/git-interface/commit/f828aa790016fee3aa667f7b44cf94bf0aa8c60d

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://huntr.dev/bounties/cdc25408-d3c1-4a9d-bb45-33b12a715ca1

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationThird Party Advisory

Timeline

No history available yet.