{ "schema_version": "1.4.0", "id": "GHSA-hxwm-x553-x359", "modified": "2021-08-02T19:02:32Z", "published": "2021-08-05T17:07:39Z", "aliases": [], "summary": "Arbitrary Command Injection due to Improper Command Sanitization", "details": "### Summary\nThere exists a command injection vulnerability in `npmcli/git` versions <2.0.8 which may result in arbitrary shell command execution due to improper argument sanitization when `npmcli/git` is used to execute Git commands based on user controlled input. \n\nThe impact of this issue is possible Arbitrary Command Injection when `npmcli/git` is run with untrusted (user controlled) Git command arguments. \n\n### Impact\n\nArbitrary Command Injection\n\n### Details\n\n`npmcli/git` prior to release `2.0.8` passed user controlled input as arguments to a shell command without properly sanitizing this input. Passing unsanitized input to a shell can lead to arbitrary command injection. For example passing `git+https://github.com/npm/git; echo hello world` would trigger the shell execution of `echo hello world`. \n\nThis issue was remediated by no longer running `npmcli/git` git commands through an intermediate shell.\n\n### Patches\n\nThis issue has been patched in release `2.0.8`\n\n### Acknowledgements\n\nThis report was reported to us by @tyage (Ierae Security) through the [GitHub Bug Bounty Program](https://bounty.github.com).\n", "severity": [], "affected": [ { "package": { "ecosystem": "npm", "name": "@npmcli/git" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.0.8" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/npm/git/security/advisories/GHSA-hxwm-x553-x359" }, { "type": "WEB", "url": "https://github.com/npm/git/pull/29" } ], "database_specific": { "cwe_ids": [ "CWE-78" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-08-02T19:02:32Z", "nvd_published_at": null } }