CVE-2022-1440 – Command Injection vulnerability in git-interface@2.1.1 in yarkeev/git-interface
https://notcve.org/view.php?id=CVE-2022-1440
Command Injection vulnerability in git-interface@2.1.1 in GitHub repository yarkeev/git-interface prior to 2.1.2. If both are provided by user input, then the use of a `--upload-pack` command-line argument feature of git is also supported for `git clone`, which would then allow for any operating system command to be spawned by the attacker. Una vulnerabilidad de inyección de comandos en git-interface@2.1.1 en el repositorio de GitHub yarkeev/git-interface versiones anteriores a 2.1.2. Si ambos son proporcionados por la entrada del usuario, entonces el uso de una característica de argumento de línea de comandos "--upload-pack" de git también es compatible con "git clone", lo que permitiría entonces que cualquier comando del sistema operativo sea generado por el atacante • https://github.com/yarkeev/git-interface/commit/f828aa790016fee3aa667f7b44cf94bf0aa8c60d https://huntr.dev/bounties/cdc25408-d3c1-4a9d-bb45-33b12a715ca1 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2022-24826 – Git LFS can execute a binary from the current directory on Windows
https://notcve.org/view.php?id=CVE-2022-24826
On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. Similarly, if the malicious repository contains files named `..exe` and `cygpath.exe`, and `cygpath.exe` is not found in `PATH`, the `..exe` program will be executed when certain Git LFS commands are run. More generally, if the current working directory contains any file with a base name of `.` and a file extension from `PATHEXT` (except `.bat` and `.cmd`), and also contains another file with the same base name as a program Git LFS intends to execute (such as `git`, `cygpath`, or `uname`) and any file extension from `PATHEXT` (including `.bat` and `.cmd`), then, on Windows, when Git LFS attempts to execute the intended program the `..exe`, `..com`, etc., file will be executed instead, but only if the intended program is not found in any directory listed in `PATH`. The vulnerability occurs because when Git LFS detects that the program it intends to run does not exist in any directory listed in `PATH` then Git LFS passes an empty string as the executable file path to the Go `os/exec` package, which contains a bug such that, on Windows, it prepends the name of the current working directory (i.e., `.`) to the empty string without adding a path separator, and as a result searches in that directory for a file with the base name `.` combined with any file extension from `PATHEXT`, executing the first one it finds. • https://github.com/git-lfs/git-lfs/releases https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6rw3-3whw-jvjj • CWE-426: Untrusted Search Path •
CVE-2022-24767
https://notcve.org/view.php?id=CVE-2022-24767
GitHub: Git for Windows' uninstaller vulnerable to DLL hijacking when run under the SYSTEM user account. GitHub: El desinstalador de Git para Windows es vulnerable al secuestro de DLL cuando se ejecuta bajo la cuenta de usuario SYSTEM • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24767 • CWE-427: Uncontrolled Search Path Element •
CVE-2022-24066 – Command Injection
https://notcve.org/view.php?id=CVE-2022-24066
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. El paquete simple-git versiones anteriores a 3.5.0, es vulnerable a una inyección de comandos debido a una corrección incompleta de [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) que sólo parchea contra el vector de ataque git fetch. Un uso similar de la función --upload-pack de git también es compatible con git clone, que la corrección anterior no cubría • https://gist.github.com/lirantal/a930d902294b833514e821102316426b https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820 https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVE-2021-23632 – Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2021-23632
All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js with the following content: js var Git = require("git").Git; var repo = new Git("repo-test"); var user_input = "version; date"; repo.git(user_input, function(err, result) { console.log(result); }) 2. In the same directory as exploit.js, run npm install git. 3. Run exploit.js: node exploit.js. • https://snyk.io/vuln/SNYK-JS-GIT-1568518 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •