PT-2022-13891 · Git+1 · Git+1

Published

2022-04-22

Updated

2022-05-04

CVE-2022-1440

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions git-interface versions 2.1.1 through 2.1.1

Description A command injection issue exists in the git-interface. If both the git remote and destination directory are provided by user input, the use of a --upload-pack command-line argument feature of git is also supported for git clone, allowing any operating system command to be spawned by the attacker.

Recommendations For git-interface version 2.1.1, update to version 2.1.2 to resolve the issue. As a temporary workaround, consider restricting the use of the --upload-pack command-line argument feature of git for git clone until a patch is available.

Exploit

Fix

Argument Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-88CWE-78

Related Identifiers

CVE-2022-1440

GHSA-QFFW-8WG7-H665

Affected Products

Git

Git-Interface

PT-2022-13891 · Git+1 · Git+1

CVE-2022-1440

Weakness Enumeration

Related Identifiers

Affected Products

References · 8