CVE-2022-24437

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions git-pull-or-clone versions prior to 2.0.2

Description The issue arises from the use of the --upload-pack feature of git, which is also supported for git clone. Although the source utilizes the secure child process API spawn(), the outpath parameter passed to it may be a command-line argument to the git clone command, resulting in arbitrary command injection.

Recommendations For versions prior to 2.0.2, update to version 2.0.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the outpath parameter in the git clone command to minimize the risk of exploitation.

Exploit

Fix

Argument Injection

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-88CWE-78CWE-77

Related Identifiers

CVE-2022-24437

GHSA-3X62-X456-Q2VM

SNYK-JS-GITPULLORCLONE-2434307

Affected Products

Git

Git-Pull-Or-Clone

CVE-2022-24437

Weakness Enumeration

Related Identifiers

Affected Products

References · 8